The infrastructure is already present. 2FA service providers would just have to be added as required authorities on the user's account. If there's a market for it we could see several competing providers with different models.

Ideally proposed transactions would make this even cleaner: https://github.com/steemit/steem/issues/318