Allow enforcing 2FA only if current admin has 2FA enabled

[ChristophWurst]

This was brought up in #12249.

Without this, an admin that does not read the warnings will lock themselves out.

[rullzer]

well... sure it would be a nice enhancement.

But personally I do not have trust in an admin that would not understand that if you enforce this that you yourself of all people should have it enabled 🙊

[ChristophWurst]

But personally I do not have trust in an admin that would not understand that if you enforce this that you yourself of all people should have it enabled speak_no_evil

Me neither, but apparently some people have already run into this: #12249 🙈

[caitisgreat]

I recommend the status of this ticket be bumped up from low to at least medium. Snap just pushed out new versions for everyone two days ago and it disabled all 2FA methods on upgrade.

[ChristophWurst]

I don't see how this check/warning would help with that issue. If 2FA providers disappear (disabled, fail to load) we have to still enforce 2FA because this might otherwise open doors for attackers.

The real issue here is that the apps got disabled for some reason. This has to be addressed instead.

[ChristophWurst]

I think #11102 is the ticket where we're discussing that ;)