Allow users to choose between two MFA methods (YubiKey or Authenticator App)

We have recently started rolling out YubiKeys for multifactor authentication in Devolutions Server. They provide strong security and work very well.

At the same time, we would like to give users the ability to choose between two MFA methods at login:

• YubiKey as the preferred hardware-based method
• Smartphone authenticator app (TOTP) as an alternative

The idea is not to have a weaker "fallback" option like email or SMS, but to configure two secure MFA methods in parallel, so that users can select the one that is available to them at the moment of login.

Benefits:

• Prevents lockouts if one method (e.g. the YubiKey) is not at hand.
• Reduces IT support workload, since fewer manual resets are required.
• Maintains strong MFA standards by limiting the choice to secure methods only (YubiKey and TOTP).

This flexibility would make the transition to hardware tokens smoother while still ensuring that users always have a secure authentication method available.