Another excellent open-source contribution has been deployed today - @oden has added two-factor authentication support (via TOTP apps like Google Authenticator). Here's the code, if anyone wants to take a look.
If you want to set it up for your account, the link is available on the settings page. If you do, please please please write down or store the backup codes that it gives you after you enable it. If your phone dies or you otherwise lose access to your 2FA device, you won't be able to recover access to your Tildes account.
On that note, I wanted to ask for input about whether I should be willing to bypass 2FA for people if they've set up the email-based account recovery. People will lose access to their 2FA device and not have the backup codes, and I don't know if just telling them that I can't help them is truly the best thing to do. Allowing it to be bypassed does lower the security, but sometimes it's a reasonable trade-off. One possibility is adding a security option that people could enable for maximum security, like "Do not bypass 2FA for me under any circumstance, I promise that I've kept my backup codes".
Let me know what you think about that, as well as if you have any concerns or notice any issues with the feature. Thanks again, @oden!