Unavailability of Duo’s MFA product is extremely rare. But when it does happen, IT admins can switch to “bypass” mode to only require the 1st factor. So even though Duo doesn’t have 100% uptime, you’re no worse than no MFA
Scrolling through their incident feed, it seems to be a bit more frequent than "extremely rare".
Remember that critical industry is a sector where patching software is viewed as risky, because changing anything when it works is seen as unnecessary, and would often have weeks or months of pre-deployment testing. They work on a different time-base to the IT world.
The ability to do a "bypass" is nice in theory, but the need for this option will resonate with the "old guard", who will be able to use this external dependency to keep it out.
Personally I prefer smartcard-based solutions for MFA, since you can do all verification offline without requiring any third party to inject themselves into the chain. I found a good example of a vulnerability this year in Duo that just shows their validation logic is complex enough that one user was able to pass 2FA as another user [1].
That's probably your second worst case scenario, with the worst being an outsider being able to pass 2FA. A well-implemented smartcard scheme shouldn't fail in this way, as you're distributing validation logic to each device, rather than centralising it and relying on a "trusted outsider" to give a "yes or no".
Personally i prefer TOTP. It can be phone or card based, but it's very easy to use, deploy, and rotate. The logistics of shipping and rotating physical smartcards to employees, not to mention having said employees carry that smartcard around with them, seems too much for basically no gain.
