I think this how
greenaddress.it is doing it? Yes.? They also use the nLockTime parameter, so that TX1 will 'expire' after some time so that I can get my coins back if 3rd party goes bankrupt or doesn't release payments when requested, but I haven't got my head around that part yet (as haven't looked into nLockTime yet).
They send the change to a new multisig address, and send you a new refund txn that you can't spend for "90 days" or something(1440 blocks? It says in the app). So if ga.it disappears tomorrow, you have to wait a bit to get your money back, but they can't run away with it.
The normal workflow is exactly the same as regular wallets that have 2FA. It's just that their servers sign the txn when you respond to the 2FA challenge.
FWIW, it's the only wallet I'm using these days, outside of paper wallets. Great for my spending money. They are rolling out 0-conf stuff as we speak, which uses the payment protocol.