2FA is a must nowadays. Please implement. I would suggest whatever Google Authenticator and Authy use (TOTP).
Please let me know if you have further questions in terms of requirements. In a nutshell, I'd like to see:
1. Ability for administrators to enable, disable or require 2FA for users
2. This could be in the form of Google Authenticator-like time-based keys which the user can retrieve on their mobile/desktop device (or via SMS), or something simple like "security questions". Ideally configurable.
3. This requirement should cover both UI and more importantly git operations through ssh.