As said above by @Stephen and @mcdanlj, enforcing that isn’t the state of the art security practice anymore, so we do not require that.
However, if you want complete control over the login process of Discourse, you can delegate the authentication to a web service under your control by utilizing DiscourseConnect.