If you're going to do mandatory 2FA (which I agree with), you might consider offering an SMS token as google does with gmail logins. It's probably not as secure as some other options, but any additional security that requires more than just a concurrent session is probably beneficial.

It's not entirely reasonable (just yet) to assume that everyone who may be using BTCT or LTCGlobal has a smartphone - but a mobile phone and/or yubikey requirement makes sense.