The goal of this issue is to discuss and plan the work needed to add Two Factor Authentication in Matomo.
now documented in Security guide

Requirements

• Support SMS delivery for 2FA codes (reusing our Mobile Messaging feature of connecting a phone for SMS messages)

• Support time-based one-time password (TOTP) app(s) such as Google Authenticator (see for example this user guide for Github as good example). application automatically generates an authentication code that changes after a certain period of time. Other auth apps must be supported eg. 1Password, Authy, LastPass Authenticator

• Recovery codes feature for when users lose access to the device and can't receive codes

• User should be able to see a Security page, or section within Personal settings, to 1) Setup authenticator app, 2) Configure SMS delivery phone number, 3) View Recovery codes

• Super Users should see, in the Edit User screen, and in the Listing of users, when a user has 2FA enabled, eg. via an indicator 2FA ☓ or 2FA ✓

• A Super User will have the ability to Require two-factor authentication for everyone. with an inline text eg. All users, including Super Users, who do not have two-factor authentication enabled for their account will receive an email notifying them about the change and will be required to activate 2FA when they next login. . When enabled, users will be required to setup 2FA on login and won't be able to access any screens or API until then.

• How will 2FA support impact the API and the token_auth, will API users need to do anything different?

Currently we have this plugin available for Matomo with support for Google Authenticator: https://plugins.matomo.org/GoogleAuthenticator which can be likely used as a base for the work.