* Software tokens

* Hardware tokens

* U2F

It should be possible for an administrator to select what mechanisms are available for a realm. We need the option to enforce that a user has at least one 2nd factor authentication associated with the account. Then it should be possible for adminstrators to provision tokens on behalf of users, but also for users themselves to provision their own. For hardware tokens a lot of them use the same algorithm as the software token, but on caveat is that you need to be able to exchange a device-id for the token secret. This could be a rest endpoint or a lookup in a database, but I don't think there's a generic approach available so maybe we need to introduce an SPI for this.

Are we able to do the above with the current Authenticator SPI? We also need:

* Account management - users should be able to choose which mechanism to use if there's more than one enabled for a realm

* Required action to enable OTP - same as above

* Admin console - administrators should be able to provision on behalf of users

* We need to refer to it as 2nd factor or multi-factor as OTP is just one possible mechanism. Other simple examples could be sending a code to email or sms which has to be copy/pasted back to the login forms.

Looks like we have a community member that is willing to contribute U2F and another that could contribute hardware tokens.