I agree with # 1 and # 3...especially sending a link/temporary code for resetting password.
# 2 is, well, a # 2. Where I live there is too much latency with text messaging which is really problematic with MFA codes which expire in ridiculously short intervals (like < 5 minutes)
It is not hard to set up multiple options. Email, SMS, app, even an RSA or Yuibikey.
The whole point of all these mechanisms is to address the problem of password harvesting. ESPECIALLY for moderator/admin accounts.
Years ago I went into a datacenter and all the admin passwords were scribbled on the whiteboard. I could’ve run riot all through their network without them knowing it was me.
Imagine not having to go to the effort of taking a photo of a whiteboard because you can go on the dark web and get the photo from it...
Now imagine, everyone with zot abilities who has had the same password for fifteen years, has their login details in a freely available, hacked password list.
So even if MFA is overkill for Freepers, it should be mandatory for admins and moderators.