This would be really nice to have. Specifically, TOTP and security keys (FIDO U2F).

How I envision it working:

• Option torequire users to set up 2FA when they first log in OR if not enforced, just the option to set it up from their settings page
• Generate a secret using an OTP lib, display the QR code to the user for them to scan it with their phone app, store the key for the user in the DB
• Require the user to enter an OTP code to confirm they have it
• Optionally, once they have OTP set up, they could add a security key as an alternative (e.g. shameless plug:https://bluink.ca/key, or a Yubikey)
• U2F works by storing a key handle, certificate, public key and counter once registered. Most of the hard work is probably dealt with by the lib, but some stuff needs to be done with JS to enable the client-side support.

Libs you could use:

• https://github.com/pquerna/otp
  (I recommend just using TOTP, not HOTP because TOTP is easier to use, but just as secure)
• https://github.com/ryankurte/go-u2f

I can probably answer any questions you have about it.