The [[https://www.mediawiki.org/wiki/Extension:WebAuthn|WebAuthn]] extension allows for use of physical security tokens (U2F, etc.) as a second factor for OATHAuth (already bundled). I think it would be a good addition to the TOTP auth method we already have.
I note that the documentation claims to require the `gmp` PHP extension, which core doesn't, so that's a blocker. Our base-convert library generally works around most needs of gmp, so I think in theory it should be possible to replace.
[ ] Passed security review or already Wikimedia deployed
[ ] Voting CI structure tests
[ ] Runs MediaWiki-CodeSniffer
[ ] Runs phan
[ ] Supports MySQL, SQLite, and Postgres (if there are schema changes)
[ ] GPL v2 or later compatible license
[ ] Extension's default configuration provides optimal experience
[ ] Tested with web installer