As far i know you cannot do that or you do EAP PEAP = user + password or you use EAP TLS = User Certificate.
You can do 2 factor authentication by doing EAP PEAP + Enforce machine OR EAP TLS + Enforce Machine.
The enforce machine will check if the laptop or tablet is in the Active directory group you select(this works perfectly when you got all windows machines)
Hopes it helps
Cheers
Carlos