"Two-factor
...
These devices can be expensive ... "<p>This is not true at all (the expensive part). The hardware component for setting up two-factor auth for users is effectively free if your users have smart phones (i.e. Google Authenticator and equivalents). Honestly, users that don't probably have smart phones probably aren't going to use two-factor auth anyway.<p>Similarly the server software side isn't that complicated to implement either. In my experience with implementing it, most of the complexity is in handling emergency codes for resets as implementing the TOTP/HOTP parts are pretty straight forward.<p>I remember hearing that single purpose two-factor hardware token (i.e. something like those RSA SecurID keychains) are on the order of $5-10 per user (was a couple years ago, price is probably lower now). If you're dealing with less sophisticated users but the cost of compromising a user's account is high (ex: you're a financial institution) then I think that price is well worth it.