Certain user groups have access to potentially sensitive non-public information (e.g. CheckUser and Oversight groups) and forcing users in those groups to use two-factor authentication would protect the privacy of project members by making unauthorized account access much more difficult.

We have no way of knowing whether those users are using secure passwords or reusing passwords on other websites. Therefore, requiring two-factor authentication can protect against a reused or weak password. This would not just impact those holding privileged access, but would protect every single active account.

It could also be useful to require two-factor codes before performing sensitive actions (e.g. before running a Checkuser query or viewing hidden revisions). There could be a time out before codes are requested again to prevent annoying the end user. Asking for a two-factor code could also be waived if the user has just logged on, so a generic "if the user has entered a code within the last X minutes, skip asking for a code" may be better.

A setting of something similar to $wgMandatoryTFAGroups = ['checkuser', 'oversight'] or similar can be used. Similar settings can be used for the other proposals.

Thanks for your consideration!