I think that given the WireGuard building block, it's certainly
possible to build a 2FA framework around it.
I see these wireguard extra features just like dhcp is. Nobody thinks about implementing dhcp inside kernel or even iproute tools.
+1 for 2FA and +1 for a service that share peer info, allowing a mesh vpn
--