I started and had a Two-Factor auth (TFA) module working in early 2017, but the project it was intended for never moved beyond the concept phase.
I hope it's either close to what you need or at least inspires your solution. Here's the repository that contains a working test project:
https://github.com/tieniber/TwoFactorLoginForm
Unfortunately, it's not documented. Here are the cliff notes:
The test project also contains "magic link" logins, where a user could be emailed a link, and that link would log them directly into their home page.
I would discuss with the client the " without generating a valid logged in user session " part. Because this could be handled in the home microflow where you do this check before opening the homepage. This could be done with little effort while the other one might be very hard or impossible. So why is an user session not allowed?
Regards,
Ronald