The new 2-factor authentication with 4.2 beta is a welcome addition.
The fact that it's integrated with Google Authenticator is great.
However, I think it would be far more useful if it could be a conditional setting. For example, I would love to be able to define one or more 'trusted hosts' (e.g. systems on the same network segment) that did not require more than a password.
Also, it seems that 2-Factor is disregarded altogether when connecting via the console (i.e. SSH) and at least some of the mobile apps. There's no point to adding a 2nd factor to security if it can be easily bypassed by simply logging in a different way.