Most services w/ strong security standards will notify you when security-sensitive events happen. That (hopefully) makes you aware when an attacker has compromised something.

Here are some rough thoughts on events that should trigger a notification:

User only

• when 2fa settings changed in any way
• when failed attempt at 2nd factor after successful password - related Add logging function when failed to authenticate #462, Add rate limiting to two factor attempts. #510

Admin and User

• when backup code used (should be filterable off for large sites)
• when user disables all 2fa providers (maybe not necessarily if we add a mechanism to force 2fa on for certain roles - Feature: Setting to Force 2F via email for administrators  #185, Optionally Force 2fa #239, Enforce 2FA #255, Feature request - enable 2FA for all #307, Add force users to enable two-factor on next login #451 )

Admin only

• Email provider enables automatically as a fallback (see Ensure that doesn't 'fail open' if existing providers poof. #586)

Should anything be added to those lists?

Email notifications are good because the user doesn't have to visit the site to be informed about the event. Email is also unreliable, though, so we could consider also adding notifications in wp-admin, like #510 and #482

We might want to do #459 first, since that is similar and could lay the ground work. Or maybe we need a generic PR that just fires actions when events occur, and separate PRs for specific responses to that (email, error_log). An add-on plugin could redirect notices to Stream, monolog, sentry.io, etc).