ldilley
commented
6 years ago https://github.com/multiOTP/multiotp, which supports SMS, may also be an option. This project is bulkier than the aforementioned libs that only focus on Google's [H|T]OTP implementation however.
@mobbyg mentioned adding support for 2FA in Discord recently. We should allow the optional use of 2FA for increased security. We can leverage the well-known Google or Microsoft authentication apps for this purpose. There are several decent Google Auth libraries implemented in PHP that take care of the heavy lifting already:
https://github.com/PHPGangsta/GoogleAuthenticator (somewhat dated) https://github.com/Dolondro/google-authenticator (somewhat active) https://github.com/chregu/GoogleAuthenticator.php (dated) https://github.com/sonata-project/GoogleAuthenticator (actively maintained)
The web forms will require updating to enable users to enroll/associate and detach an authenticator with/from their account along with challenging them for a one-time PIN after username and password authentication.