[Joeri]

TOTP, the algorithm used by github, google, and many others to provide two-factor auth is basically that, except your phone is the little device. IMHO this is "good enough" security for normal people. I haven't read of cases where people's second factor got hacked, just where it got bypassed (e.g. by using social engineering to skip passwords entirely).

[jandrese]

People say the weakest link is the user in passwords, and that's often true. But for more security conscious users the weakest link is the helpdesk. It may not even be where you expect. Plenty of people have been hacked because the hacker called the support line for their registrar, hosting, email provider, or ISP and got a password changed without any form of hard verification.

It can be extremely frustrating to do everything right and then have your knees cut off by some script reader in a cube farm somewhere.

Also, if you do email verification for accounts, whenever someone changes their email send one to the old account saying 'Hey, this is being changed, are you OK with it?" and if they say no, revert the email and reset the password on the spot.