How about… A system where you have to pay sats to use a 2FA, reset your password, or submit a password. The catch is the sats go to your account wallet. So no harm if it’s you, as you’re paying yourself. But bad actors won’t because of the cost of attempted log-in or attack.