Security experts agree that the first step to securing your site against unauthorized access is using a second step during the login process. Joomla 3.2 and later offer Two Factor Authentication which requires you to enter a security code along with your password to log into your site. However, Two Factor Authentication is susceptible to spoofing attacks. Moreover it does not let you use any second factor which is not a text code known to you before you login.
The solution to that is Two Step Verification. You login with just your username and password. However, at this point, you have a "captive login" and you cannot use the site unless you provide your second authentication factor. This could be a text code generated by Google Authenticator like what Joomla already allows, or something impossible to use with core Joomla such as a text code sent to you by SMS or push notification or even a secure hardware token following the FIDO U2F (Universal Second Factor) standard. After providing and validating the second factor your login becomes full features and you can use the site. This is very much like what Google does when you try to login to GMail; or what happens when you log into GitHub; or how Apple handles login to iCloud.
You can easily set up which user groups are required to set up Two Step Verification and which user groups should not have that option. Users can enrol themselves to Two Step Verification or opt out of it (unless their user group requires it to be set up).
Akeeba LoginGuard currently supports the following second factors:
* Web Authentication (WebAuthn), the W3C standard for multi-factor authentication
* Authenticator App (Google Authenticator, Authy, 1Password etc)
* U2F (any USB or NFC token following the U2F protocol will do, including the cheap Amazon ones)
* PushBullet (only with a paid PushBullet account)
* SMS Text Message (you need a paid subscription to the supported SMS service; read the documentation)
* Fixed Code (ONLY FOR DEMONSTRATION - this is the same as using a password; don't use on production sites)
This extension is brought to you by the same person who wrote Joomla's Two Factor Authentication feature. It is what I wanted to contribute to Joomla but couldn't due to several factors outside my control at the time. Akeeba LoginGuard is currently used on hundreds of sites by a combined user base in the several dozen thousands.