Rationale
At the moment each authentication method is tried in turn, and the first that succeeds allows login. So to implement and use two-factor, or multi-factor, authentication there needs to be a _login_xxx method added to the User model for the specific combination of authentication methods that an administrator wants to allow. This means that modules that implement one specific authentication method also need to know about all the other authentication methods that are available to be able to support multi-factor authentication with them, or additional modules need to be created just to add that combination of authentication methods.
Proposal
Also allow the authentication methods to be combined together in such a way that each individual method must succeed in turn to allow login. This could be done by allowing a plus (+) character to be used in the session.authentications configuration option. These combined authentication methods would then be tried in turn, each must succeed and return the same user_id to allow the user to login. If any failed, or didn’t return the same user_id as the previous method, then the next authentication method following a comma (,) would be tried.
Example:
[session]
authentications = password+sms,method2+method3,method4
So this would require authentication by password followed by sms, or by method2 followed by method3, or by method4 alone. Where methods 2-4 could be things like Kerberos, Time-based One-Time Passwords (TOTP), or Universal 2nd Factor (U2F). And each of these additional authentication methods could then be implemented without needing to know about each other.