it's good that now it can be seen in the logs, but @joomla needs additional protection.

Why? This log shows that it is doing what it is supposed to do

2-FA now has one drawback: if I lose my smartphone with the authentication app, I will not be able to log into my account,

That is why you are instructed to take a copy of the emergency use one time tokens.

, because Joomla does not have SMS sending

For a very good reason that it is insecure. https://www.google.com/search?q=sms+mfa+not+secure&oq=sms+tfa+&aqs=chrome.1.69i57j0i13l5j0i13i30l4.5727j0j7&sourceid=chrome&ie=UTF-8

it's good that now it can be seen in the logs, but @joomla needs additional protection.

Why? This log shows that it is doing what it is supposed to do

2-FA now has one drawback: if I lose my smartphone with the authentication app, I will not be able to log into my account,

That is why you are instructed to take a copy of the emergency use one time tokens.

, because Joomla does not have SMS sending

For a very good reason that it is insecure. https://www.google.com/search?q=sms+mfa+not+secure&oq=sms+tfa+&aqs=chrome.1.69i57j0i13l5j0i13i30l4.5727j0j7&sourceid=chrome&ie=UTF-8

ok, sending SMS may not be safe, but such large companies as Google, Facebook, Amazon still use this method.

but I also saw on some sites the ability to get a link for authorization on the site, which will come to the e-mail. is it possible to add such a method of authorization on the site for a Joomla? authorization on the site through the link in the e-mail.

@brianteeman in any case, I think it would be great if there was a Captcha for the Control Panel login after 3 unsuccessful login attempts. this would at least be able to further protect the website from password guessing.

and blocking the ability to enter the Control Panel (for one hour for example) after 5 or 10 unsuccessful attempts to enter the password from the Control Panel. I think Joomla could be more safe in this sense.

There are third-party extensions that can help you lock-down your site.

• Admin Tools (Akeeba) amongst its many features allows you to configure how many login attempts before blocking the /administrator and you can set the "time-out" limit on that. Effectively the user's IP is blocked.

• Use htaccess/htpasswd which is easy enough to set up through your web-host. It prompts for a separate password and username (not your Joomla details) before you even get to the /administrator of your joomla site. You can set this up through Admin Tools as well.

• A third option is using a plugin which requires a secret key/code appended to the administrator URL before it will display the login screen. Examples - Akeeba Tools has the feature, and another is AdminExile.

• Akeeba has LoginGuard, an alternative 2FA component to the core 2FA. You get the same methods as Joomla core 2FA - Yubikey, Google Authenticator (or similar app), and email plus the one-time use emergency codes.

Any combination of the above will help further lock-down your administrator and are on top of normal login.

There are several options as @AMurray2016 described above which can be used to protected administrator area of your site without requiring captcha. With that said, I'm closing this issue.