Using OTP for MFA is not considered secure enough by some users, as it is vulnerable to various phishing attacks. I.e. where the user is tricked in to giving up their (temporary) code to the attacker, which can then use the code to impersonate the user. Other MFA methods are more resilient against this, usually because they use some form of strong cryptography that isn't as easily intercepted and tricked. We already support smart cards and SSH public keys¹ that qualify for this. ¹ Although it is difficult to enforce good private key policy, like password protection Another commonly used system is FIDO/U2F/FIDO2, which users would like to be able to use with ThinLinc. Fortunately, OpenSSH already has support for these, so it should hopefully be possible to integrate with ThinLinc.
Note that ThinLinc's dual authentication architecture (bug 2545) might cause some headaches here.
The American federal government are trying to enforce a requirement of phishing resistant MFA on their agencies: https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf They seem to prefer their smart cards (PIV), but FIDO2 seems to be the prominent alternative.
