install tfa and ga_login (TFA is just a framework, it doesn't come with it's own login plugins.)
Use this patch I wrote - it adds display of validation skip times and an admin reset button for users who are got locked out.
My installation instructions:
Next you need to generate an encryption profile.
First you need to generate a key - key type needs to be Encryption (not Authentication).
A 128bit key = 128/8 bytes = 16 characters - so generate a random 16 character string.
Set key provider to File rather than Configuration, this means the key won't end up in your version control.
Tick the 'strip trailing line breaks' box to avoid the "The selected key size does not match the actual size of the key." error
Key path should be relative to Drupal so the config will work on multiple sites
e.g. if you have created a file called /app/tfa.key on a lando container, set the key path to ../tfa.key
I'm actually creating mine in a keys directory.
Remember to save the key somewhere in your password manager, or your ansible variables, in case you lose the files later.
Remember to add /keys to your .gitignore file, so it won't get stored in version control.
Remember to copy it manually onto your production server.
In the TFA settings (/admin/config/people/tfa) you probably want to increase the number of times a user can skip validation.
Note that TFA has a separate 'Tfa user login' block (replacing the ordinary 'User login')