Hi Jason,
The short answer is yes, it's possible. There are a couple important considerations:
1. Enforcing 2FA for specific users -- which users get 2FA, which do not?
2. 2FA credential enrollment -- how do users who want 2FA enroll and manage their credentials and auth settings, i.e. turn 2FA on & off?
For number one , you can write and add custom [interception scripts](https://gluu.org/docs/ce/authn-guide/intro/#authentication-interception-scripts) to your Gluu Server to define the logic.
For example, take a look at this sample interception script that implements Duo for 2FA:
https://github.com/GluuFederation/oxAuth/blob/master/Server/integrations/duo/DuoExternalAuthenticator.py#L41
In line 41 of the script it specifies that if user is part of the Duo group, prompt for 2FA. Else let the user through with simple PW authentication.
This is OK for an enterprise that manages user groups and credentials/devices, but not so good for customer facing services.
So you need a way to give people the ability to enroll and manage their 2FA credentials, and also turn 2FA on and off.
In fact, we're just about to release a new product that will help you roll this out called [Gluu Casa](https://gluu.org/docs/casa/).
Note: the packages are stilling being QA'd and are not ready for deployment, but will be this month.
Casa includes interception scripts that help route the proper authentication strategies, and also user interfaces for admins and end-users to enroll and manage their 2FA devices, and also set proper policies around 2FA.
Casa will be commercial software though. If you'd like to discuss and see a demo, feel free to [schedule a call](https://gluu.org/booking).
Hope that helps get you oriented around how you might go about achieving this type of solution.
Cheers,
Will