Reviving this topic a bit...
The new kid in town for 2FA is U2F which has some advantages over OTP.
From my recent readings, it should be possible to implement U2F (and/or OTP) in SSOwat. Libraries, or full server with REST apis, exists for managing these protocols, and could be interfaced with the Yunohost SSO.
The Yubico developer website is full of resources about this.
The U2F/OTP would be an additionnal authentication layer, on top of the existing LDAP password. This would not be plugged directly in the LDAP server.
I just bought a Yubikey 4 and will experiment a few things for fun, as time permits. Adding U2F for SSOwat would probably be my first game.
Still this won't solve the whole problem : having 2FA for the SSO does not mean you have it for the other open doors on your server (IMAP/POP, SMTP, XMPP, ...). Protecting all authenticated services of our ynh servers would require different approaches, and more effort. For example, enforcing connections to those services only from a VPN, with the VPN certificate being stored and protected on a hardware device, might be the beginning of a solution.