I’m just curious over European GDPR reagulations. It requires to inform parties about intrusion. That bringed me idea of PAM module. You could set two phase authentication. One is normal password. Then login process sends email to admin and waits to answer. Admin signs return email with GPG key. If signature is valid user enters system.