This is very easily done with OpenIddict, but OpenIddict is one of those "magically works in the background" frameworks.
Yep it is, because it was designed to be used by people who have no idea how OAuth2 or OpenID Connect work, which is why most the protocol details are deliberately hidden (and thus, why the classes that handle the OIDC requests/responses are intentionally non-replaceable).
I would like to keep the simplicity of OpenIddict, but change it's default behaviour by using Identity and it's two-factor authentication features instead of just a username/password login.
If you find it easy, I assume you're using the "resource owner password credentials grant" demonstrated in a bunch of blog posts (e.g http://capesean.co.za/blog/asp-net-5-jwt-tokens/ or http://kerryritter.com/authorizing-your-net-core-mvc6-api-requests-with-openiddict-and-identity/)
Unfortunately, this (simple) OAuth2 grant is not compatible with 2-factor authentication.
Instead, I'd recommend switching to an interactive flow like implicit or authorization code, that will allow you to support this scenario (since you're responsible of the login part in this case).
For more information, you can take a look at this sample. It simply relies on the AccountController that comes with the default VS templates for the login step and includes a special AuthorizationController that handles the authorization part.
2-FA is natively supported by AccountController, so you shouldn't have anything to implement to enable that in your application.
