We use Two-factor here – Yubikeys and Google Auth (TOTP), both of which can be calculated offline. However we have them behind a RADIUS server for convenience, and normally lock things using Shibboleth.
The way that apps such as SecretServer handle twofactor is to first do the standard auth method (LDAP), and then (depending on configuration) subsequently make a Radius call for the twofactor. Indeed, RADIUS auth support would be a good option to add to Rancher, and it shouldn’t be all that hard (though you’d still need LDAP for groups).
If Rancher supported Shibboleth authentication - or Two-factor using a remote RADIUS server - then this would be a win for us, as we’re moving towards two-factor for admin tasks.