I’ve actually started developing SAML/ADFS support for my employer at the moment - I am not sure if we plan on open sourcing this, but adding SAML support for us inherently adds 2FA when it meets the criteria from the IDP.
I do think it is beneficial to have 2FA for users that are using the built-in/database authentication, but does it not make sense to leave 2FA authentication backend, rather than trying to bolt-on 2FA to Icinga itself?
It should be up to the backend to provide the criteria to successfully authenticate - e.g we are using Duo for 2FA and ADFS as our identity provider.
Duo would take care of hardware token, push notifications, biometrics, etc.
This would be true for other MFA solutions (Okta, OneLogin, etc).
As a user, I wouldn’t want to configure an entirely new 2FA solution in Icinga - it makes much more sense to hand this off to an already existing service - if I already require 2FA on my applications, it’s increasingly likely I already have a 2FA/SSO/SAML solution in place.
EDIT: I also want to mention that asking users not to expose Icinga Web to the world is unrealistic. If there are vulnerabilities in Icinga Web, the same would apply internally and that should be addressed appropriately. If I was a prospective customer of Icinga and got told I shouldn’t expose the web interface, that would instantly raise suspicions with our CISO/CTO and we would likely ditch the product.