Correct. You should not make the web UI publicly accessible. The “default configuration” on AWS does this so that it is easier to set up the system initially, but this should be changed as soon as possible.
The web UI is brute-forcible which generally speaking is not a problem (because virtually everything is BF-able). But with a sufficiently complex password, the barrier can be raised high enough.
I do not see much benefit of TOTP authentication for things like VPNs and the web UI, but I suppose we will add this at some point.
Here are some more thought on TOTP: blog.ipfire.org - OpenVPN OTP/2FA