Add MFA login option to "trust this computer for x days" where x is an admin setting configurable number of days from code being entered. This would allow a user to trust a browser and not be prompted every time they login to web applications. After x number of days the user is prompted to re-enter new MFA code.
Also give some thought about adding "trusted networks" (thinking internal subnets so something like 10.10.*.*, 192.168.67.*, etc) that can forgo the need for MFA completely.