Best case scenario, we would be able to use a physical authentication device, but google authenticator would be a good solution too. I'd even take email or SMS 2FA over nothing. Those aren't ideal solutions though.
I'd suggest using bitcoin addresses as the 2FA to sign a trnasaction from them (when using an unfamiliter IP with the forum that doesn't already have a cookie associated to it and that user). That would really help with the issue and would be quite easy to do as there are a lot of open source codebases out there that can be used...