On our installation, we'd like to enforce multi-factor authentication for all administrators only, while allowing users to optionally use TOTP codes where they see fit. I believe I discussed this with @epriestley at one point, and it would require a bit of work to do, but it'd be a nice addition.
The real reason we'd like to enforce this is because we'd like to add a secondary authentication factor, [Duo Security](https://duosecurity.com), and then require administrators to all use Duo as their second factor for their logins.