Got involved in a security discussion on another forum. They had a few hacked accounts so enabled 2FA for everyone.
The argument I put forward is I consider forced rotation of passwords and forced expiry of login sessions a lazy approach to security that also causes inconvenience.
There is one security method that has always been very strong and that is IP based ACL's.
IPv6 allows every internet device out there to have its own routable IP, ISP's would have to get used to proper allocations not temporary DHCP one's sorry BT/sky. The big problem though is the privacy features implemented, these have the side affect that makes this not workable, privacy has in effect been prioritised over security.
If we was in a IPv6 global enabled internet with no privacy randomisation of the address, then every service out there could utilise a automated ACL, that when you login, you dont need to reauthenticate providing you have valid session date on the client device and the IP is in the ACL, if either of these mismatches, you then require 2FA. This would kill all the database account compromises dead which probably account for 99% of compromised accounts out there.
Some companies already do this, especially datacentres, if I login to linode, soyoustart, hetzner and my ip has changed, I have to redo 2FA. Some even let you configure static IP whitelists as well. I think its the way forward and its that killer IPv6 feature, albeit without the privacy randomisation.
Additional note I think AAISP also do this, if they detect an IP change, then its 2FA time.