Sign in options for Windows 10

We have our Azure and Intunes setup for MFA using USB tokens with PIN to sign into Windows 10. Many users are doing this correctly but some users have discovered that they can either just continue logging in with a password or set the Windows PIN to match the MFA PIN and not bother plugging the USB token in.

How can we disable the PIN and Password so everyone is forced to use the USB token?