I would say, lock accounts to for example IP address, ASN or GeoIP. This can be accomplished simply by a custom login handler, which also checks IP against database.
And first time users, and those who change country/ISP/IP have to simply logon to a web interface (where 2FA can be required and also Captcha) and add their IPs/ASNs/Geo's. For a larger user base, I would recommend GeoIP and no web interface, save country of first login to database, and subsequent logins must originate from same country. Users that want to reset have to contact support. If you are a web hotel who only sell service to a specific country at all, lock the ports in firewall to that GeoIP. For smaller user base, like 50-100 users, I would recommend locking to ASN and providing a web interface where multiple ASN can be added. So people syncing from mobile and home can succeed. For very small user base, like 10's of users, just plan lock to IP. By connecting IP to accounts, you greatly reduce the attack surface.
