Hook in what you already use, or choose a freestanding option.
After entering username and password, a user is prompted for multi-factor authentication by hardware security key. Alternatively, the user may enter a one-time password from an authenticator app, or a single-use recovery code.
What kinds of multi-factor authentication are supported?
Both temporary one-time passwords (Google Auth, Authy, 1Password, etc) and hardware tokens (Yubikeys, etc) are supported out-of-the-box. OIDC goes live this fall.