The FTC recently fined a company who was the victim of a credential stuffing attack. Although the company was a victim, the company is still liable because credential stuffing has become a foreseeable problem and the company did not do enough to prevent this problem.
As summarized in the article:
Nonetheless, if it wasn't clear before, it is after TaxSlayer: Companies that fail to consider the risks of credential stuffing, and to implement mitigating controls, do so at their peril. Companies that fail to use multi-factor authentication to protect sensitive data do so at their particular peril. The precise legal hook relied upon by privacy enforcers will always vary from case to case, but the enforcement community's commitment to these principles is here to stay.
Credential stuffing is currently a huge issue and with rulings like this from the FTC, more and more organizations will need multi-factor authentication.
Liferay Portal should offer some sort of multi-factor authentication out of the box. The easiest options to offer are probably Email and TOTP (e.g., Google Authenticator)