I personally have the rule to enable a two-step login method whenever possible on a website. I could see this site being kind of a target for people trying to manipulate accounts.. So maybe it is nice to add an extra layer of security. I am not talking about verification with an sms. But using a verification app, or by mail.
Just another random thought.
Keep up the good work and have a good afternoon / evening / night / morning ..