You know better what is more work for support.
People losing their accounts due to hackers or people shutting themselves out of their account due to screwing up the 2fa.
It just makes 2fa less secure than one might think.
Least intrusive might be to ramp up the session hijacking detection, if possible.