We have allow_2fa to make it something one can opt-in to, but can we also make it required?

[consideRatio]

I'd like to be able to enforce 2fa for users, not just allow them to opt it to 2fa.

Related: #152

[lambdaTotoro]

This raises the question on whether we want two 2FA options (allow / enforce) or stick with one (only enforce or only allow). I think since generally, choice is good¹, I think it should be the former. One option that allows it and another option that build on that that enforces it.

---

[1]: Classical mathematicians are not allowed to quote this out of context.