If you forgot the password, the password reset form always exists here: you can type your email or nickname to request the password reset and check your mailbox for the restore link.
While two-factor authentication adds a stronger security layer, it also adds two cons:
- Users will have a more complicated process of the authentication that requires them to do something also than they did typically (copy-paste the code from email or phone, use fingerprint to confirm some, etc.)
- Once you got the email/phone lost and/or smashed by a roller, you'll lose the ability to log in because the required authentication component was lost. That will require you to contact any staff by separated ways, and, additionally, confirm you are not a camel the actual account owner and not the random hacker who performs the identity fraud. However, there is a sort of emergency codes concept possible that users can export somewhere and re-use as a rescue way to log in if they lost the required device to log in.
If add it, make it being optional, to allow users to choose between convenience and stronger security. Anyway, I will need to check out how it is possible to be made in the most independent way to avoid external services use, I don't trust them (except for some cases). Also, make sure it won't harm the work of Chinese users (most foreign services are banned for them).