Add additional factors (verification options) during login. Sending a token to the original e-mail is generally OK, but some users may not have access to e-mail and prefer a token generator or hardware (signing) token instead). Additional factors for 2FA/MFA would allow for options, and TOTP would be nice start. Although text/SMS is exceedingly common, it is important to have alternatives that do not allow for attacks/theft/redirection by the carrier services.
(This may be a duplicate since I recall making this post before but cannot find it in search results. Support also directed me to this site instead of documenting it themselves.)