In general, yes.
But it depends on what kind of second factor you want to use.
The easiest way is to have Splunk sit behind an authenticating reverse proxy that handles the authentication and just passes the username back to splunk via an HTTP header (X-Authenticated-User, for example):
http://docs.splunk.com/Documentation/Splunk/6.2.2/Security/HowSplunkSSOworks
I have my splunk set up to look at the "SSL_CLIENT_S_DN" header, which gets set when I use my x.509 browser certificate.
--Joe