Most security certifications require remote clients to run a two-factor validation process before allow it to connect. Also would be great that the Windows client could verify that system protection is enabled (manage-bde -status -cn localhost) before allowing connection to the remote network.
I agree with this… if a laptop gets stolen and the user doesn’t realize it, the thief has complete access to my ZeroTier network until the user notifies me that the laptop is gone. Now I don’t know about your users, but mine tend NOT to tell me anything that might get them fired… lol… if we had MFA/2FA then even if the laptop is stolen, the thief can not access the ZeroTier network.
We have OIDC SSO available to users hosting networks at https://my.zerotier.com. The network admin connects their own OIDC solution (Auth0, Okta, Azure AD, etc) and can configure login/MFA requirements there.