Add Radius Server as a 2FA option
Problem to solve
A prospect currently uses a customized GitLab FOSS installation where they've added a Radius 2FA option. Specifically, their implementation requires a username and password as normal, plus a static PIN + Yubikey OTP as the Radius 'password'. The Radius server is responsible for validating the PIN + Yubikey OTP.
In order for them to upgrade to a paid subscription and move away from their custom version we will need to implement a 2FA with Radius option.
We might be able to use something like https://github.com/cbascom/devise-radius-authenticatable. The only requirement for this particular customer is we send the username plus the combined PIN + OTP as a password to the Radius server.
Intended users
User experience goal
This is essentially a form of three-factor authentication for this customer. To GitLab it would only look like 2FA, since the second and third factor are combined with the PIN + OTP.
The customer requires this 3FA to access any of their production systems. Since GitLab deploys to those same systems they want to require the same level of authentication in GitLab.