...
Choice of multi-factor technology should be documented together with the use of password in the IMPS, section 5.1 Credential Operating Environment.
Single-Factor and Multi-Factor OTP Devices have the same weaknes to social engineering as passwords but one OTP code can only be used once and if a time based OTP (TOTP) solution is used the risc is further reduced but not negliable.
...