My understanding is that the plan for WireGuard is to nail the engine and present a clean interface to system integrators, who will build their own authentication systems on top of it. The most sensible way to do MFA for WireGuard is probably though an IdP.
I think at this time, the only option you'd have is a captive portal for the 2FA, and then unfirewall the in-VPN IP. WG has no provision for "connection state", only "handshake happened X seconds ago". If there's no traffic, there's no handshake.
Each node has a list of public keys of nodes that it authorizes to communicate with it. Those nodes authenticate (provide proof of their identity) themselves via the exclusive ownership of their private keys.
If you are using a VPN to access a sensitive network (home or office), you want to make it harder for an attacker to steal keys or passwords to the network (especially since any roaming devices are more vulnerable to evil maid attacks). 2FA through a token or phone apps means they now need to compromise two devices instead of one.
OK, I get you. I think we're coming from different angles. You're concerned about getting into a network, I'm concerned on not identifying identification.
