Multifactor authentication via valid client SSL/TLS certificate
If an authentication entry in the pg_hba.conf specifies the clientcert=verify-full, then the client must present a valid SSL certificate that matches the login name, or the client name based on a map.