I will suggest not to bother user to confirm their identity with Two-Factor Auth every time when they want to log in!
On the other hand, you may perform a basis check of IP address when they login. Assuming that you store login IP Addresses history, you may compare locations! If once the login IP is from Kazakhstan and the user is from USA, and he usually login from USA, then you may push Two-Factor Auto to confirm his identity.
You can also push T-F Auth on big orders.
I am over critical thinking. It is like checking everyday if gravity works!
Anyway, dedicated servers here: 1way.pro
I agree with people that you should avoid making things a hassle for your customers. At the same time, certain customers (especially any larger, stricter companies that you may or may not get) may wish to have additional security measures in place.
You could meet your clients in the middle. Have a mix of the standard: SSL certificate, password strength hints etc but then offer 2 factor to those that want to enable in the clients portal. Those that want it, have it. Those that would have stopped buying from you simply don't have to enable it.
@1wayhosting - Google uses Geo detection when you sign in to any Google service and will act according to how a profile is set up. In some cases it will just send an alert to the backup email account informing them a login to place, the general location an device. But if set to do so, it can actually block the login until you provide additional verification (SMS, secret q answer etc).
Personally, two-factor authentication is really something which should be available as a feature on all major websites or places where crucial data is being stored.
Nowadays there are a lot of different services which help to make the two-factor authentication process for the client as smooth as possible to name a few - Google Authenticator , Authy , LastPass ( Now supports Two Factor ).