I'm currently building a personal website in Yesod 1.4.5, and at the moment I'm implementing authentication. Authenticating with a username and password was easy enough - I used Yesod.Auth.HashDB - but as I'm quite security-conscious I'd like to require a second factor as well.

Does Yesod.Auth have support for multi-factor authentication? It definitely supports multiple auth plugins, but as far as I can tell these appear to be treated as alternative authentication methods rather than additional mandatory authentication factors. Can auth plugins be composed in some way, "wrapping" an MFA plugin around HashDB? There didn't seem to be functionality for this in the sources.

If this is indeed unsupported, how best can I extend Yesod.Auth from outside to add MFA? Extending stateful Haskell packages is hard and I could use a few hints.

Ideally I'd like to support both U2F security keys and TOTP codes, but just supporting the latter would still be very good.