Yes. Don't think you can change your people to suit your computers. That has failed over and over.
Possession of a yubikey (or similar) beats possession of a phone for the second factor, not least because the phone number isn't terribly difficult to steal either.
As for locking out after N failures, I prefer rapidly increasing delays to successive attempts. It encourages the attacker to move on with less inconvenience to the user.
Biting the hand that feeds IT
