Wanted to mention that I’m working on 2FA using FIDO U2F. Thus a USB device such as the Security Key by Yubico or the similar product from Key-ID. After a normal OpenEMR login you would be prompted to use the physical key to further verify your identity.
This particular type of device is attractive because it’s effective and cheap, around $10. The work should also be adaptable other 2FA methods.