ah i see. That will probably take several months. If you find another way of adding google authenticator, you can use that along with supertokens and it would work well.
What you need to do is on session creation (after 1st factor), save a flag in the access token indicating that only the first factor is complete.
Your APIs and sensitive routes on the frontend could allow access only if first and second factor is complete (as marked in the access token). If not, they could redirect the user to the second factor screen.
After the second factor is done, you could update the access token to mark that both the factors are done granting the user access to the app.
-----------
If not all users should have 2fa, you can even save that info in the access token after the first factor is done and change the API access logic accordingly.