It is possible to enforce 2FA.
https://help.github.com/articles/requiring-two-factor-authentication-in-your-organization/
