But that would require the authenticating target to run their own LN node, right? Otherwise there'd be some serious security implications. One of the advantages of the current TOTP/HOTP model is that the second auth can be done with an offline device.

Probably not. Most people know better than to use a non-microsoft or apple authenticator app..