FlexAuth does not internally support two-factor authentication.

If you can run all your SSO resources through one listener by using a wildcard certificate or publishing them as paths, then you could perform 2 factor authentication by by using two "chained" listeners, as described in the following article: isaserver.org tutorial

The first listener to accept the external connetion would do your first authentication factor (RSA SecurID for example) and then hand off the request to the localhost chained listener, which is configured to do the second factor.

FlexAuth would not be required for this scenario, unless for example you want to use its features for easy customization of the logon form.