We are in the 2018(almost 2019), but people still use the same password for anything, so I think that your two-step verification with email is a good start, ~~but not the best.~~
There is the possibility to send the code via SMS, but with recently studies it seems really risk to do. I read in an article that over 26 millions SMS texts were exposed.
~~Another common solution is to use an app, I read in Ask to Riot that you are thinking if it is worth to do an app or not, but... The first time we will log in the app, probably, it will ask us a code that we will get it via email. And if we lose the phone or we want to log in another phone, it will ask us again a code that it will send via email. So if we have the same password for the League account and the email account, a _"phishing man"_(the guy who got our username/password because we typed them in a phishing website) can install the app, log in to our email, get the code, get access to the two-step verification app and he can approve his access from the app.~~
**p.s I just noticed that the _"phishing man"_ can't know our email address because it is always covered by asterisks (*). He can know it only if you use your username as the name of the email( for example: username: yasuomain; email: firstname.lastname@example.org). In that case it would be your fault.**
I think that the app would be the best solution. From the app we can approve accesses or scan a QR code to access (without typing username and password, like WhatsAppWeb). And a really good feature it would be to have a list of all sessions and have the possibility to close a session from the app(like Facebook).
**p.s you should give the possibility to remove the access or log out from the app. If we lose our phone, what will happen? With a ticket, after the questions to confirm that we are the real owner of the account, we should be able to log out from the app from remote.**
But... The best solution, in my opinion, is to give the possibility to log in using an external device. Probably some of you already know of some devices like the Yubikey, it allows you to log in without typing the username/password, just plugging in the device you can log in(it can be used also in other ways, also as a two-step verification). This solution would need time to be developed and few people would spend money for just having an "USB pendrive" to log in to League. So, I think that there are three ways to resolve this problem:
1- Riot games with other companies (Blizzard, EA, Valve...) create a "_Yubikey_" for games account. In this way you can sell it for a cheap price (10-15€) and to temp people to buy it you can give some RP or an exclusive skin when a player connect the device to his account.
2- This method will not generate profit because it will be free and accessible for anyone. You create a software that _convert_ a common USB pendrive in a "_Yubikey_" and people can use it to log in without typing username/password or as a two-step verification. This will need a lot of time to add in the client because you will have to consider some security situation like: if I lose the USB key?
**p.s: to be more safety this system, the code inside the USB pendrive that allow us to log in, have to expire after 30 days and people have to get a new _code_ inside the USB pendrive to be able to use it again as a log in system and you should format the pendrive(to avoid errors and virus). **
3- The easier: do a partnership with Yubikey and let them do all the work :).
p.s sorry for my English.