2FA is probably a good thing but for certain it adds complexity and unless you are an expert it might not make things better and you might actually be leaking more than you know.
I have installed google 2fa on several systems. 2FA requires a network connection to google which means a dead network cannot be accessed. Once you start deploying workarounds the system is weaker.
Also, google is now in the authentication chain. They know when users access the system and who. They know how busy your system is, when you reboot and whatever other T&C you’ve agreed to.
And on top of that it’s a lot of manual configuration to get it right. Specially when you start deploying/orchestratin lots of virtual and baremetal machines. And frankly the first thing I did once I installed 2FA was I worked around it; granted that was inside the lab but could just as easily been anywhere else.
configuration as code
All this manual stuff is not good. It’s mistakes ready to happen.