Hi Hackling,
Ah, the dreaded "more security = less security" dilemna has plagued us IT guys for decades. Two factor authentication is definitely the right path but you have to keep it simple or else it won't be used (or as you said, written down, aaahhh). I have found that if my users can just remember one solid password and use Lastpass with a Yubikey, their lives (as well as mine) can be a better one :) . Now, certain timeout adjustments should be made to the Lastpass settings depending on the user (ie, if the user doesn't touch the keyboard for X minutes, Lastpass automatically logs them out and they have to perform the TFA again). I've been using Lastpass with Yubikey for some time now and am very happy with the results. Those few times that I leave my Yubikey at home really show me how secure my passwords really are.
I hope this reply helps you!