Could do 2FA though email - like Guild Wars 2, which works great. Could also offer the option to use Google Authenticator - which is what TeamViewer and a bunch of others use; also works great. Neither of those things cost money aside from the time taken to code the feature. It should be "opt-in" but it is a must-have feature if any sort of money is going to be changing hands through the site.
Could do 2FA though email - like Guild Wars 2, which works great. Could also offer the option to use Google Authenticator - which is what TeamViewer and a bunch of others use; also works great. Neither of those things cost money aside from the time taken to code the feature. It should be "opt-in" but it is a must-have feature if any sort of money is going to be changing hands through the site.