After entering username and password, a user is prompted for multi-factor authentication by hardware security key. Alternatively, the user may enter a one-time password from an authenticator app, or a single-use recovery code.

• What kinds of multi-factor authentication are supported?

  Both temporary one-time passwords (Google Auth, Authy, 1Password, etc) and hardware tokens (Yubikeys, etc) are supported out-of-the-box. OIDC goes live this fall.