It would be great if you either...
- could disallow specific kinds of 2FA for user groups.
- adjust Implemented - Option to force 2Factor authentication on staff, so that you can force specific kinds of two factor authentication.
All things should be done per user group, so that you can disable/force different kinds of 2FA for different users. (E.g. disallow insecure modes for staff members, while allowing all other users all modes).
A thing which should be kept in mind is that you maybe want to allow/disallow more than one mode. So only allow [mode1] OR [mode2], respectively disallow [mode2] AND [mode3].
Actually there are not that many modes, but as this can be extended with add-ons there may be more modes in the future.
Just because I maybe want to force some users to use secure two factor authentication systems. Some may not really considered secure by some people. For example the email mode can be considered unsecure, because it at first uses 6 digits which are valid 15 minutes (compared to the OTP mode, where the same length is only valid for a few seconds), email generally is send unencrypted and if someone has access to your inbox he can - even with enabled 2FA - take your complete account over by just resetting the password and using the email OTP.
Because of this I would like if you could disallow some modes for some user groups you can at least force the 'critical' users to use secure 2FA modes.
Example: You prevent all staff members from using unsecure email 2FA. Or you can force all staff members to use the secure OTP mode or [custom add-on mode].
All other users can use all modes they like.
Which mode would you prefer?
I would prefer the first mode, because in the second mode there it is still possible for the users to activate an unsecure mode. If you only implement the second mode then an attacker could just use the insecure alternative mode for login.
IMHO it would also be nice if you could also disable/disallow the backup recovery codes, because if you have reliable people which backed up their shared secret (the QR code you have to scan at activation) or have enough different (backup) modes activated the recovery codes may just be an (theoretical) unnecessary security risk. The problem with them is that they are - in contrast to the 2FA protection - statical and still quite short (only 6 digits).
I know you get an email notification if a recovery code was used, but what if the email delivery fails?
And even if it does not fail it does not help you in an acute attack at all. Especially for admins: You know (afterwards) that there was a not-authorised access, but how does it help you if the attacker already deleted all posts or got access to private user data (email, username)?