Can social logins be disabled for staff or at least admins?
E.g. staff & admins can only be allowed to log in via discourse’s username > password > 2FA validation where there is a limit of minimum number of characters in password that is global. I’ve read your articles about passwords and think that 10+ characters for staff should be a good choice.
Also, one more thing can be is that if there had been any changes to an admin account, those accounts should be put into a cooldown period. This can be tricky but if anyone has made any changes to an admin account e.g. email change or modification of 2FA that admin account should not be permitted access to admin area for the next 24 hours or so … Just so that if anyone has gained access maliciously then there is some grace period before damage is made to the whole community.