You can technically make up new authentication schemes to extend from HTTP Basic Auth, but they generally won't be supported by browsers. In your example, I don't believe any browser would be able to natively ask for and send username:password:token in the same way they can easily ask for username and password.
Generally two-factor authentication schemes work by putting the user into an intermediary state using some form of sessions as you mentioned in your second example. A user who has passed the first factor, say username/password via Basic Auth, has a session opened but not marked as really logged in until they also pass the second factor. Inputting a dongle code or something like that. Once both factors are passed their session is marked as fully logged in and they can access their account/data/whatever.