[horde] Any 2FA / MFA options which could work with Horde?

[Sebastian Arcus]

This is a reluctant request, as per the details to follow.

Short version first: is there any way of making Horde work with some 
sort of a 2FA / MFA system? I'm looking for the simplest option - even 
if it involves some sort of authentication hook linked to a bash script, 
which talks to a Windows app installed on the client workstation to pass 
a TOTP code to the user. Or any other similar adaptation.

Long version: I've had Horde installed on a site and working for a good 
number of years. There is no access to Horde from the internet, only 
from internal network and through vpn. On the client side, users 
passwords are stored in the password manager and auto-filled - so that 
users are not psychologically accustomed to being asked to type their 
email password for any reason. I think this provides a pretty high level 
of protection against phishing attacks - specially as, even if a third 
party obtains emails passwords, it's not possible to gain access to the 
email system and data from outside the internal network.

However, being an organisation operating in the legal field, the 
insurance company is adamant that we need to implement 2FA / MFA - 
otherwise the insurance premium would be much higher. It doesn't matter 
that I explained our setup to them, and how MFA / 2FA requirements would 
be of little value to a small setup where the server and email clients 
are inside the internal network, with no email client access from the 
internet side.

Any suggestions much appreciated