.NET IIS Server - two factor access options

Spacely Sprockets has a .NET server running IIS. It has a main page and four URLs and it hooks into MS SQL on the back end. Main Page, Retail Sprockets, Wholesale Sprockets, Government Sprockets, Spacely Partners. Each of the sub web sites has its own user ID and password required. Mr. Spacely would like there to be two factor authentication to be able to access any other these. He's thinking perhaps just to get to the web site a user would need a user ID and password and a two factor. And then this would be kind of a two factor authentication as after you've 2FA'd to the main site you're then permitted to use UID/PW to reach any of the sub web sites. This seems out of the spirit of true 2FA which would send you a token when you accessed any of the sub web sites. But then it's not my expertise either. Is the old man's request reasonable? If yes would it be best resolved at the server? PAN firewall? Citrix Load Balancer? It seems to me like we're really talking about publishing five applications. Help! Jane stock this crazy thing!