As to group membership... it's a decent option. It WOULD mean that bots would be blocked from joining such groups, as whoever is operating them would need to set up 2FA for all of their bot accounts AND have authenticators set up for each. An additional requirement would be not only to have 2FA active, but to invoke a 2FA challenge on joining OR accepting a role assignment/change. This would be a little harder, since currently 2FA only gets invoked when logging in, not sure there's a mechanism to issue challenges for inworld events.

However, 2FA only slows down the scams that try to co-opt the username and password. However, there are some scammers that try to use the current SL session keys (which unless you UNCHECKED the "save for 30 days" option on 2FA, allows your viewer to log in without a challenge 'most of the time'). If a scam attack targets the viewer session key, it is able to impersonate your session, and 2FA will not be invoked.

THIS loophole needs to be addressed - session keys should not persist from one device to another, and spoofing the current device should be made extremely difficult (I'm thinking it would need to require accurate timestamp coordination, within a few milliseconds of drift, as well as matching OS build version, an IP within the same subnet as previously/currently used, as well as userid/password. ) Otherwise a "man in the middle" attack can suborn 2FA without too much trouble. Yes this does mean that 2FA challenges would pop up more often for those who have it enabled. This Is The Point Of 2FA.

Not everyone can use 2FA, for a variety of reasons. This could lock out legitimate people.

This won't stop the conference spams from bots that scrape usernames from region visits, but it's one option that keeps groups a bit cleaner, at least.