There's a really good article, with example code and a sample APEX application at https://apexutil.blogspot.com/2018/07/two-factor-authentication-with-apex.html However, this is based around Google authenticator but, is still a good POC.
We have the same requirement coming up. Sorry, that it isn't specifically tied to CAS but, we'll probably follow this concept as it allows us work with our own Times-based One-Time Password (TOTP) code (of course we have to argue about it with our own security folks first ). So, we won't use this out of the box but, this will, basically, be our approach.
I Hope this was helpful.