The 2FA authentication process takes place when the user successfully signs in. There is a 2FA token sent to the user (can be via email or SMS) and has to be sent to the gateway. The current implementation apparently relies on the 'otp' setting, but it does not work (for me). The otp setting is hardwired to be NM_SETTING_SECRET_FLAG_NOT_SAVED. With this setting, nmcli asks for the otp token before logging in, and writes the token (cannot be empty) in the config file openfortivpn uses to establish the connection. The, openfortivpn sends said token and does not ask for a 2FA interactively.
I have submitted pull request https://github.com/adrienverge/openfortivpn/pull/761 to the openfortivpn developpers to use a specific hint for 2FA. The code in the present merge request will use that feature to set up the VPN 2FA process.
I contributed also the editor part for nm-applet.