My secure advice (as a specialist) is to require the OTP instead, because of the security breaches that often happen by people who only know the password so they sneak in while the account owner is AFK and disable authentication so they can go to their own computer and authenticate because they only were able to steal the owner's password.