The most effective upgrade to security, given the scenario, would be to implement a system that requires users to provide a second form of authentication in addition to their password (something they know). The use of a time-based one-time password (TOTP) app provides a dynamically changing code (something they have) and is a common approach for achieving two-factor authentication on mobile devices. A PIN code, while an additional security measure, would not constitute a second factor since it is another thing the user knows, not something they have. Similarly, a fingerprint alone does not fit the scenario's requirement for adding to the existing security measure (password) but would be used instead of a password. Disabling location services does not add a second authentication factor and thus does not enhance access security as described.