Hi Dimitris,
Certificates alone are not considered two factor. What is the second factor? Certificate based logon for SAP GUI required some SSO product like SAP NW SSO. Depending on your SAP system, you will be able to use logon policies (tx secpol) to enforce SSO only for some users, allowing the others to log on also using their password. However it's not clear to me, whether this should be proposed, as SSO also has side effects like reduced admin effort for stuff like password reset. So maybe you want to use SSO for all and just have different policies inside SSO, how the authentication for different users works?
Kind regards,
Patrick