Hey @Tom_Ring: mandatory 2FA is fine. But:
(1) Give users a way to remember their computers for at least 30 days without retriggering 2FA. Even banks don’t ask for 2FA every 30 days. On bank websites where people keep thousands (millions?) of dollars, you can go months (years?) without 2FA if you’re using the same browser on the same computer on the same IP.
(2) Give users ways to login or at least reset their accounts without having to call in to Ring. Sometimes people change phones/computers and have no access to their old phones/computers, AND they have no access to their Ring devices (away from home), AND they will need to log into Ring. Right now, they are SOL in this scenario. Due to 2FA, Ring is LESS secure and gives customers LESS control.