Add support for multi-factor authentication. Either time-based (TOTP), physical (UBI/Fido), SMS or at least an email notification.

Users who are not using Github/Google SSO but are using a regular email+password are prone to several types of attacks on their credentials. Password spraying, dictionary attacks, bruteforce attacks and others may all be successfully used to breach such account's password and gain unauthorized access.

Missing a second factor decreases the security of such accounts, which is especially troublesome when they need to be used as service accounts for integrations with other systems.