Hi I have purchased a license of Pragma fortress 5.0 with which I will use to test my development(not yet done) to support  two factor authentication with x509 on my server device. I have the following queries about 2 factor authentication with x509 digital certificate.

1) Is CAC Smart card reader mandatory for 2FA ? I understand that CAC smart card reader is physically connected via USB to the system where Pragma client is installed and Pragma fortress​​ prompts for the PIN when CAC reader is physically reset. Can't I use the PIN from a google authenticator OTP ? If yes there should be a way to provide the google OTP to Pragma fortress without a smart card reader.

2) If Google authenticator cannot be used, then what generates the PIN?  Does the CAC reader have the software to generate the random PIN? I understand it just allows insertion and detection of the smart card.

3) Does the x509 certificate have any field that is used as password to which the PIN is appended when sending authentication request to ​​the AAA server, or should the SSH server prefix it's own password to the PIN to send to the AAA server ?

4) Is it mandatory to have the x509 certificate on the smart card inserted into the CAC reader?​​ ​​

Thanks
Sreedhar​​​
​​