Two-factor authentication will soon become the norm.
Almost every large organisation (with at least one competent security professional) we work with will now only use a platform with two-factor authentication.
Here's a simple explanation.
Authentication (checking you're the right person to be accessing the community) can be done by three factors:
1) Knowledge – Something the user knows (e.g. a username/password)
2) Possession – Something the user has (e.g. a mobile phone/bank card)
3) Inherence – Something the user is (e.g. biometrics – fingerprint/voice/retina)
In the UK, banks require people to use both a username/password and a chip and pin to login. Online communities are heading the same way.
For example, a member might have their e-mail hacked. The hacker then uses the 'forgot my password' feature to gain access to dozens of communities (more if the user is foolish enough to use the same password for every feature) and wreak havoc.
Two-factor authentication stops this by sending a code to the member's phone to change or retrieve the password.
Likewise, a hacker might retrieve a member's password and attempt to access the community from a new IP/device. Two-factor authentication can send a code to the member's phone to validate this is the real person.
Salesforce, Google, iCloud, Dropbox, Facebook and others offer two-factor authentication (you should turn it on).
Until biometrics (voice recognition software) improves, the best systems will require both a username/password and a mobile phone to access the community from a new location/device or retrieve the password.
This won't stop the top 1% of hackers getting in. It will stop the other 99%.
If you're not sure how or if you can implement this, I'd begin hassling your platform provider for it.
If you're a platform provider, I'd make this a priority.