Not by terminating the EAP at the built-in RADIUS server, but for those who have that specific use case, they should really be using something dedicated like FreeRADIUS or RADIATOR, terminating the EAP there. You get a far better experience with features, auditing, customisation etc. by doing this.
Having a RADIUS server in the AP firmware is a convenience feature, designed to meet the needs of most users with typical use cases as it is one less separate thing to understand and manage. Users just have to bind to an appropriate directory and much of the complexity is masked.
In my opinion, it wouldn't make sense to build this in to HiveOS as there would be relatively few users for it and the same thing can be achieved in a different, arguably better way for those who need it.
So, you can definitely do two factor auth of this nature with Aerohive APs in the equation, just not with HiveOS terminating the EAP.