I had seen ones done with HyTrust in version vCloud 1.5.x generation. However, with SAML Federation ... if your Federation server (OpenFS or ADFS) supports doing 2FA, then it might be possible that way.
I assume this is for Tenant Organizations and for the 'System' level (which is vSphere SSO or LDAP only).
It will be for the tenant/organisation accessing the vCloud instance yes. We have to use RSA SecurID's for the 2FA as requested by the customer
well RSA isn't a Federation Service/Identity Provider on its own (at least not that I can tell).
We do support ADFS, which could be configured with RSA SecurIDs (http://technet.microsoft.com/en-us/library/hh344805(WS.10).aspx)
I think on the vCloud Director side we just need to ensure that the claims are setup correctly to have the data inside the authentication token that we care about.