[VectorLock]

If the "layers" of your security use the same factors are they really layers or are they simply a time sink for you permitted users, and another thing to break?

My visceral reaction was "you got to have a VPN" as well but the more I thought about it the more I was convinced you don't _need_ a VPN.

[HaloZero]

Effectively are you saying: if I hacked your account I hacked your VPN username/password too? It's still an extra step that might trigger some sketchy senses of some people.

Not sure if it still doesn't work effectively for that.

[kortilla]

If your only threat model is leaked credentials and not vulnerabilities, sure.

[VectorLock]

Or if your threat model accounts for the prevalence of stolen credentials and end-point compromise vs. the vulnerability of your exposed application attack surface.