Only protects /wp-login.php

Is this a statement or a question? Have you verified it?

Statement.

Fyi Julien is aware, not much he can do about it. I worked with Pippin (Restrict Content Pro) and there is a plugin patch on github for RCP to redirect admins to the WP-login page.

I need to add support for this one too.

RCP does support https://www.ads-software.com/plugins/google-authenticator/ on the log in forms.

Thanks, so if I understand this correctly, if I manage the blog and know there is no other way to login than wp-login.php I’m good to go?

not sure if you are aware of this but there seems to be a plugin aiming to bring this into WP core: https://www.ads-software.com/plugins/two-factor/