**Exception**

Use of additional factors for authentication is left up to the deployer, but
it is strongly recommended.