Phabricator can be configured to require multi-factor auth to log in to the web UI. However, Conduit API access is single-factor, requiring only an API (or CLI) token to access. We'd like to limit the effectiveness of a compromised API token.
Conduit tokens already have an expires field, though I don't believe there's currently a way to set it. It'd be useful to be able to enforce a global key-expiration length specified through a config value.