In present days, Multifactor Authentication (MFA) is a usual best practice in Computer Security. The question exists whether CA PAM can work with Multifactor Authentication and how to proceed to enable it in CA PAM

As of versions 4.2.X and lower, CA PAM has only two embedded MFA authentication methods: LDAP+RADIUS and LDAP+RSA. This means that both authentication methods may be configured in PAM and they can be made to work together through setting a common attribute (for instance samAccountName in LDAP coincidentak with Radius uid) in CA PAM.

However this does not mean you cannot configure other MFA methods: this just implies that MFA for other combinations must be configured at the first authentication factor and that PAM will be agnostic with respect to this second factor. For instance, let's imagine an Azure Entra directory for which we also want to configure Microsoft Authenticator as a second authentication factor: in PAM you would just configure a regular LDAP or SSO authentication, and the second factor you would be defining in your Entra directory. During the authentication flow PAM would be requesting authentication at the directory, which would trigger the second authentication on its own, and once performed, would return the authentication to PAM.