There's a really good article, with example code and a sample APEX application at https://apexutil.blogspot.com/2018/07/two-factor-authentication-with-apex.html However, this is based around Google authenticator but, is still a good POC.
We have the same requirement coming up. Sorry, that it isn;t specifically tied to CAS but, we'll probably follow this concept as it allows us work with our own Times-based One-Time Password (TOTP) code (or course we have to argue about it with our own security folks first ). So, we won;t use this out of the box but, this will, basically, be our approach.
I Hope this was helpful.