Scenario 1:
1) User fails logon
2) disable account
3) send SMS to user (user's mobile number & email address in VBS array) "Reply UNLOCK to activate account"
4) Gammu script unlocks account based on mobile number/email address combination
That seems kind of strict and doesn't take into account password guessers. I get very, very few password guessers anyway because no auth on port 25 and other submission ports are closed from the internet (mail submission via webmail, ActiveSync on localhost only).
Scenario 2:
1) User fails logon
2) Failed logon goes into database for counting
3) If failed logons exceeds autoban max invalid logon attempts, then lock account & send SMS "Reply UNLOCK to activate account"
4) Gammu script unlocks account based on mobile number/email address combination
Scenario 3:
Same as above except require password change (already have working SMS hmailserver password change script for Gammu)
These seem better but I'm still missing something. Since this is a Corona-chan project, its more proof of concept than anything else.

Still, the concept is sound. Looking for a good execution. Any ideas, you great thinkers with time on your hands?

Basically asking: what is the best strategy for SMS 2 factor authentication...