https://cilogon.org/tf and click the "Manage Two-Factor" button after you log on. Then click the "Enable" button for the authentication method you would like to use.
Currently, the only second factor method supported by CILogon is the Google Authenticator mobile app, which implements one-time passwords according to the open standards developed by the Initiative for Open Authentication (OATH) (unrelated to OAuth). However, CILogon's second factor support is designed to accomodate multiple methods, and CILogon may support additional methods (such as Duo) in the future according to community requirements.
After you enable a second authentication factor, CILogon will prompt you for your second factor after you authenticate with your chosen identity provider, on all subsequent visits to https://cilogon.org/. You can disable your second factor at any time using the "Manage Two-Factor" button after you log on. In the future, CILogon will indicate in the issued certificate whether two-factor authentication was performed, so services accepting the certificate for authentication can better determine the level of assurance used to obtain the certificate.
Some identity providers already support two-factor authentication to CILogon, including Virginia Tech's Silver level Personal Digital Certificate (PDC) and Google's 2-step verification. For identity providers that don't support two-factor authentication, CILogon's ability to add a second authentication factor can provide a useful "step-up" level of assurance for certificate issuance.