At a minimum, have IP whitelists for wp-admin.
You mean block everyone BUT certain IPs? Because if you're thinking the htaccess block like that, it's a bloody nightmare to support.
I'm not disagreeing it would make things more secure, I'm just picturing the first time someone tries to log in from mom's computer and can't, and doesn't know how to fix it. Who do they contact? The webhost?
GA requires an Android or iPhone, but here's the best part: It's wrong to assume that this is Google branded authentication.
Oh I know, but the iOS app is GA's (I presume the Android one is as well). Now WP could put that in their app instead, which would be nifty.
But we're still back to the presumption that people could use 2FA on their phones.
I think it's safe to assume that a very high percentage of WP users have mobile devices.
I think a high percentage isn't enough, when you may be crippling your product for the rest :)
This would absolutely have to be optional and set to off, because if it's on and people can't get in, well... Also is this even accessible to people who can't see? We're not even talking about folks who don't have phones, or mobile phones capable of this sort of thing. China? Africa? They have enough issues as is.