Have you considered adding U2F (as in https://fidoalliance.org/) as a two-factor authentication method? This is only really supported in Chrome at the moment, so I can imagine it's not a high priority, just wondering if it's on your radar / roadmap at all. It offers some distinct advantages over OATH-HOTP/TOTP both in ease of use ("just press the button") and actual security (you can't execute a passthrough phishing attack, because the crypto handshake would fail).