On a small website (not this one), I registered about 1500 calls of the Typo3 login page per week. This are 1490 too much, probably caused by people wanting to break in. It is helpful to avoid user names like admin, it also is helpful that Typo3 takes some seconds to confirm a login, but two-factor-authentication (2fa) helps more. At the time of this writing, there is not much choice for using 2fa with Typo3 version 10.
So I chose defbu authenticator. This extension comes with exactly zero lines of documentation. It works like this: You need google authenticator on your smartphone. When the authenticator is installed, admin users find the authenticator logo at the bottom of the system division of the tools panel. Go there, click on Activate, scan the QR code, and you are done.
For other users (editors) to have them enable 2fa on their own, there is more work to be done. Go to backend user, edit your users, go to access and grant them access to defbu authenticator. You have to do this per user, not per user group.
When your smartphone gets defective and you have not backed up your 2fa data, you get in trouble. If you still got phpmyadmin access to your website data, you can reset 2fa by changing the contens of be_users. The two last columns contain the enablement state of 2fa and the secret key. This should be enough insurance to get started now.