Authenticator support

well alone for backup porposes you should be able to use more than one (which is actually recomended for YubiOTP and U2F)
but there should be a limit for performance reasons, U2F for example has to send a challenge for each stick connected to that account
and for the yubikeys you also need to store and manage them, in my auth software that I am having in PHP I set 5 yubikeys and 5 U2F sticks as limit

also @Nuxwin what will happen if the yubi servers are not reachable?

@UncleSam

Add a flag for plugin service type could be a solution. This would allow us prevent user to make use of different plugins providing similar services but hey, if an administrator want make complexity in the authenthentication process, or if an user like to make his live a hell when authenticating, that is his problem, right?

@My1

Currently, and according the Yubico recommendations, the YubiKeyAuth plugin covers that case by making asynchronous requests to all Yubico validation servers (there is a pool of 5 servers actually). The first that responds is the winner and the other requests are just aborted. Having case where all servers would be down should be something really rare and in such a case, the user could send a mail to the administrator. If an administrator want to enable 2FA, that is not to fallback to 1FA in case of service disruption, right?

well the not wanting a fallback is not really wrong except maybe if the admin locks himself out because he screwed up the network config with DNS servers that dont work or whatever.

but at least we know that there's no fallback here.

but that's one reason why a 2FA which doesnt have a 3rd party is better in my opinion. because you dont have to rely on that 3rd party

@My1 Don't worry, I'll implement FIDO U2F soon

that's epic. it imo is a really great thing, totp is the standard because it just works and there's applications in probably any language (I wouldnt be surprised if there's a dos implementation of it) but the security isnt perfect especially considering that pretty much all android devices are vulnerable to an exploit that allows to get root and copy the seeds without leaving a trace, making smartcard-similar security (you could say that U2F is basically a super-constrained cheap smartcard, in a very simplified manner) where those keys cannot be copied makes it great.

but if you do 2FA maybe also add some kind of backup codes that the user can get in in case of problems (e.g. the key broke, got stolen, whatever)

@My1

What do you mean by backup codes exactly?. A passphrase that the user is responsible to keept in his pocket and use to bypass 2FA authentication if needed? Please, clarify a bit your idea because I feel like an idiot which is starting hating himself

well.
I have seen 2 approaches;
one-time codes you print out which allow you to get in temporarily (for example if the phone's battery is down in case of TOTP and pther phone-based 2FA) (for example used at Google, protonmail and others)
one code which gets printed out which allows to remove 2FA instantly (I've seen that on steam, Apple, Dropbox and probably others).

I personally prefer the code list because the codes arent re-usable and they dont throw 2FA right into oblivion immediately

but no matter how it's done it essentially is something print out on a piece of paper which can be used if the electronic 2FA cant be used.

@My1

To resume, https://support.google.com/accounts/answer/1187538?hl=en right ?

yup that's the "one-time code list" way which imo is splendid (especially if they dont enforce any random order you can take just a part of the list with you so not the entire list gets compromised if something happens)