When no 2FA method is activated for a user, we have an option to force a user to set up SMS 2FA. However, this is also triggered when a user already has the "Configure OTP" or "Webauthn Register" required action.
We should check if a user already has any other 2FA configuration required action set before setting the SMS 2FA action in the enforcement mode. I'm not sure if we can check for unknown 2FA methods, but at least the 2 existing ones should be recognized.
When no 2FA method is activated for a user, we have an option to force a user to set up SMS 2FA. However, this is also triggered when a user already has the "Configure OTP" or "Webauthn Register" required action.
We should check if a user already has any other 2FA configuration required action set before setting the SMS 2FA action in the enforcement mode. I'm not sure if we can check for unknown 2FA methods, but at least the 2 existing ones should be recognized.