What will be your second factor and where will it be enforced?
You could have FortiTokens on the FGT on one-by-one create remote LDAP users with a token each. Put these users into a local(! - not remote) group and you are done. that is still having users on the firewall though.
Now if you want to implement a second factor elsewhere, you will need to understand the flow of authentication:
user authenticates against an authenticator (FortiGate here) and this authenticator will authenticate the user against a user DB. That can be your LDAP server.
Your second factor can either be inserted on the authenticator as described right before, or be implemented on the user DB (the LDAP server). Either of these nodes must be compatible with setting a second factor and asking for an answer, prior sending a final response to the end user.