So just mentioning this from previously.  With a Duo token on an IOS smartphone, (not the hardware token), you can support the push notification.  No need for an OTP.  My screen looks like this.  I hit connect with Duo 2FA at the bottom.  

If I have used the Duo SSO page to access, then it does SSO all the way in and I'm not prompted for approval, as I already did all of that with the Duo SSO page.  

If I navigate directly to the screenconnect web page, and do Login, I then see the screen shot 1 below.  Clicking on the "Connect with Duo 2FA" takes me to my Duo SSO web page.  Most of my users use the Duo SSO page to start though.  

In the Admin page in Duo you configure the SAML integration.  Second screenshot.  

I don't have any users with hardware tokens, and I know some folks were asking about that one.  

I keep mentioning Duo SSO, but this is the replacement to the Duo Access Gateway which was deprecated this past year (by Duo.)  It is a service hosted in your Duo portal.  You can add any SAML integrated apps, or bookmarks for your organization.  See third screenshot just an example.  

Hi Bill, saw your comment, ScreenConnect supports the full DUO 2 Factor.  From the Push, to a one time password, to an sms on your phone, to the bypass code you are asking about.  We have it working internally for both the Cloud version of ScreenConnect and our Automate version of it.  We are using Duo on our Smart Phones, but the test with the bypass code doesn't rely on that.  If an engineer forgets their phone, we setup a bypass code for the day.  And they can work.  

For anybody who hasn't upgraded to the latest release of Control, they do have DUO integration.  I have it working.  However if you use the Duo Access Gateway, and you click the link you setup on that page for Control, The expected behavior should prompt you with the screenshot above, (Send Me A Push), but it does not.  It requires you click the "login with external provider", then you are prompted with "Send me a Push."  We think there is a logout url missing in the metadata used when creating the configuration on the DAG.  Not 100% sure on that, just something we are speculating on that appears to be missing.  Hopefully they will resolve soon.  I am on cloud version 6.5.16479.  If you are looking to upgrade be cautious, we have Labtech 11 patch 19, and 6.5 is not officially supported on-prem, (but they can get it to work), but the hosted cloud version it definitely doesn't work.  

Hoping they resolve the issues soon.