The standards way to do this is via OIDC. Discourse ID is currently built using OAuth2 only. To support an MFA flag, we’d need to implement OIDC on the provider layer and pass the MFA values back and forth for clients that require it.
There are several complications:
- in Discourse core, we have the option to require 2FA for certain user types only (staff or all), we likely need something similar to be supported via ID
- ID allows logins via Google/Apple/Facebook/Github – but they don’t reliably say if the user did complete 2FA when logging in… we may need to implement 2FA on the ID layer and also likely double-2FA some users, not ideal
- is 2FA on the identity provider layer (that is, not on the local instance) sufficient for all consumers? Generally speaking, I think yes, but we’d need to do a bit more research before committing to it