Add 2FA

[Korb]

I suggest adding multi-factor authentication (MFA aka two-factor authentication) to the site. This will protect users from losing access to their accounts if their email is compromised. At a minimum, it would be convenient to have a one-minute, 6-digit PIN app to choose from, like Google Authenticator and USB-token supported by the FIDO Alliance and the World Wide Web Consortium (W3C).

[mxdanger]

It would probably be preferable to implement FIDO2 Passkey support for sign in and MFA.

Here's a Go library: https://passkeys.dev/docs/tools-libraries/libraries/#go