I forgot about that option. But it is lacking one feature (or maybe 2) these are:
- Enforce the usage of 2 factor
- Allow an administrator to reset the 2nd factor in case of loss (might be possible, but could not find it documented, same holds true for combining it with external (ldap) authentication)