Email the user when their two-factor OTP attempt is wrong
This is an interesting idea that came from the blog post at https://syslog.ravelin.com/2fa-is-missing-a-key-feature-c781c3861db:
From the article:
I have yet to come across a service that notifies you if your 2FA code was entered incorrectly. If this happens I think it would be very important to know about- think about what has happened: Somebody has entered your username and password correctly. Even if they get the next part (2FA) wrong you won’t know about it- Somebody has your actual username and password!
Such a change can immediately alert the user in a case where a bad actor has their username and password, and is now attempting to bruteforce their 2FA OTP code.