Haven't signed up, but http://blog.coinbase.com/ does mention 2FA is supported through SMS or an app called Authy. In case the founder sees this, was there any reason why Verisign's VIP app (which has native apps on more devices and seems to be the de-facto standard for banking sites) was not used?
Personally, I have no idea why they didn't just use Google Authenticator and implemented OATH/TOTP on their own servers.
Relying on a third-party for authentication seems a very bad idea, specially when there's an open algorithm that is essentially just feeding a secret and the current unix time to an HMAC-SHA1.
