This is a quick suggestion As we all know you can "Require two-step verification" under usergroup permissions. They will see this message on the front page: _ One small thing I noticed is the user can still change his password or email before enabling the two-step. Everything else is closed off like the front page, inbox and all that but everything under /account/ is accessible. I would really like to use this as a method of preventing accounts (without 2FA already enabled) from being stolen. But with just a login, the account can be taken over even if I've "required" 2FA on the user. I know other sites don't have to deal with the same security issues I do. I have always had a problem of people trying to steal accounts because established accounts hold much more value. I will be requiring 2FA for everyone but I feel that disabling account settings until they actually enable it, would be great.