Doing password + PIN at the supplicant level provides a very poor user experience and also requires a custom supplicant in many cases.
We can support a "sandwich flow" with modern MFA providers like Duo and GoVerifyID. Sandwich meaning, the device connects and based on a timer or expiry, the user is redirected to an MFA challenge in their browser.