That would be great if you can add a customer request for changing the timeout period.

As far as remembering / trusting devices goes, many others do this ... I understand that its not as simple as leaving a cookie on a device to trust it, but there are many ways to do it, that are effective enough for other companies to use. Take Teamviewer for example. Even if you don't use their 2FA, they still make you do captchas, add devices to a trusted list, and watch things like what IP you log in from. If you use some kind of fingerprint of the device, combined with the IP address its coming from, that should be pretty solid, should it not? The other thing to consider here is the adoption factor. Any 2FA is better than none at all, so while device trust may be somewhat of a compromise for 2FA effectiveness, if adding it makes more people use it, then isn't it overall still a good thing?