Remote admin of vyos routers is via ssh, which should be protected with two factor authentication. This patch
adds the stock debian google-authenticator package.ssh vyos@your.router google-authenticator <<EOF y y y n n EOF
The TOTP seed is stored in ~/.google-authenticator, rather than in the vyos config.