That's along the lines of what we have implemented, the only stumbling block at the moment is the ability for users to set up their own two-factor authentication. At the moment it requires an administrator or support staff to enable it for a user, and then provide them with the QR code - basically that requires that they're physically with the person when they enable it.
I am working on the ability for users to enable their own two-factor authentication at the moment; where they will access a page to enable it - this will flip their account to the a2fa authentication type, then provide the QR code to be scanned. I realise the secret can be entered manually - but this should be avoided IMO due to the risk of typing errors etc.
The modifications I made to this module check all installed authentication plugins for actual authentication of the first factor (username/password) and then prompt for the second factor in a separate window.
I have implemented some further improvements since we went to production around logging the generation of the secret and viewing the QR code via the Events system etc.
We have this in Production now.
Planned future improvements:
- Ability to self-manage 2fa authentication (enable, disable, regenerate secret)
- Stored list of 10-ish emergency codes for lost/flat/forgotten devices.
- Ability to set a browser as trusted (unsure how to do this as yet, thinking about browser fingerprinting but will investigate best practice first) so that you only have to provide the token on an untrusted machine.
- Message (via configurable Moodle Messaging) to users when changes made to 2fa settings - email will be forced on for this for obvious reasons.
- PHPUnit Tests
- Behat Tests
Any other suggestions?
As this is only one of many things I maintain and develop here that list may take some time to be completed I'll seek permission to distribute everything we've developed on GitHub.