Quoting Alex <mysqlstudent@gmail.com>:

Hi,

Unfortunately the best way to do multifactor authentication today is to use OAUTH2, which isn't currently supported for own installations. Or you can use client certs.

If you want to use some kind of MFA with tokens, you end up having to feed your token all the time. So the best option, for now, is device passwords.

Client certs appears to be a good solution.

What's the process for managing them with more than a hundred client accounts?

I believe the problem they are trying to solve is hacked accounts from
compromised passwords. Does client certs solve that problem?

Client certs would solve that - but you'll need some management around it (creation/deployment/renewal/device changes/etc). The easiest method is to run MDM and PKI infrastructure, but with 100 clients I kinda doubt that's in place and I wonder if they have the budget for it.

Another option, not open source, but if you engage Recorded Future, you can get a report and notifications of password compromises, and then take action on that info (ie, force affected user to change password).

Alternatively, and free, don't use the email address as the username for authenticaiton, use some other generic ID.

Rick