Potential things that should be logged (including information about clientip:
- User enrolling
- User un-enrolling
- Wrong OTP entered
- Scratch code used
- Login using OTP
It would also be advantageous if we emailed a user when they enrolled and un-enrolled from 2FA, suggesting they contact the wiki administrators (or similar) if they didn't perform the action that is being reported