Google Authenticator works with Roundcube as a third-party plugin. However, if you're running an internet-facing server with administrative pages, you're probably much better off restricting access to those pages to the local intranet addresses, and protecting any of those administrative pages (iRedAdmin, phpMyAdmin, etc.) by only allowing access from an IP address that is behind a firewall, and accessible only via a virtual private network. If you're looking to do that on the cheap, you can't get much cheaper than running an old router, flashed with DD-WRT as both a firewall, and an OpenVPN server, in order to protect everything that you don't want facing the public internet.

But I wouldn't even think about allowing public access to iRedAdmin on any of my servers unless it's from a connection within my own private subnet, or an IP that is part of my OpenVPN IP address pool. There's just too much that could go wrong with cross-site request forgeries, or cross-site scripting, or zero-day vulnerabilities with PHP code that's yet undiscovered. At least if you protect your configuration tools with intranet-only access, you reduce the risks of someone exploiting a new hole on a public-facing administrative interface.