Instead of forcing a login perhaps you should give people a MFA to accomplish. Thats is all your attempting to do in one of the most least thought out ways. Do not force your security on people, give them to option to opt in. And password - password authentication is not a form of multi-factor. I reminds me of Verizon (who's policies are also ridiculous ) that even when I know my password I have to answer a security question and enter pin also .
Just use a service that you can provide to your customers, do not create a situation that cripples the program if we refuse compliance.
