On Mon, Apr 9, 2018 at 12:13 PM, Tom Astle <t...@pcc.com> wrote: > I'll add a "me too" for this. I'd also like to use the upcoming TOTP > support with this so that if someone was coming from a certain subnet, say > an RFC1918 private, they would not have to use the 2fa. Presently, we are > looking at using Duo for this, which is really expensive in scale. > > I would think this would be possible, as well, but may require a little more work than just filtering out connections. This might actually require customizing the TOTP module to allow you to configure scenarios where you require 2FA or bypass it, but, again, should be very doable.