Please invest in hardware and software authenticators as suggested by OP!!
Then in addition to logins… configure all account changes ( Including the recently removed ‘change username / email address’ feature ) to the authenticator. Then undesired third party can not do anything and all other security checks can be disabled i.e. login authorization emails etc.