In the new draft 800-63, AAL2 requires multi-factor authentication and requires a user to authenticate fully every 12 hours. In the Duo context, this would require 12 hour "trusted device" settings.
In MFA Technologies, Threats, and Usage we don't explicitly allow for an IdP to separately (a) verify your device's access to a (non-password secured) locally installed private key and (b) authenticates the user via forms (username/password). It seems like this would be okay, however, we don't clearly identify it as acceptable because all of the explicitly listed PKI-challenge based solutions in Table 1 (#11-14) indicate that password protection exists at the cert/device level. (Non-password protected H/TOTP tokens are listed, but not PKI challenge based ones).
A future, updated version of this page should probably include enough information to clarify that this approach (IdP performs separate key and password challenges) is acceptable.