What is important to note is that many accounts have not been hacked. They are only frozen by some hacking attempt or by an attempt to change the email. As the process of defrosting the account or recovering it is manual and takes a lot of time.

Perhaps more important than 2fa, it would be automatization of the account recovery process. Using a signature from a BTC or pgp address. I think the forum should have an option to directly configure in the profile your BTC addresses and pgp that could never be changed. And only the admin could visualize them in an account recovery situation. Bitmex uses a similar system.