FEATURE: Warn of missing 2FA / Enforce setting up 2FA

[Sebobo]

My customer asked whether it can be made possible to warn of a missing 2FA token when a user logs in. Or even force a redirect to setting it up as long as it hasn't been done yet.

The might be a customer budget for this, then I could provide a PR. If not I just leave it here as an idea :)

[Pingu501]

Sounds like a good idea! Think we can just block the authentication and show a create TOTP screen during login.

Not sure yet if this should be configured via UI (some sort of Settings screen) or via Settings.yaml. What do you think?

[Sebobo]

As a setting is fine.

I did it via a Component/Middleware for my customer, which redirects to the setup page when a user is logged in but has no account.

[Benjamin-K]

yeebase/Yeebase.TwoFactorAuthentication does this, too. But there it is much more complicated to configure IMO.

I would prefer this way:

• A setting in Settings.yaml to force 2FA to be enabled.
• A policy for the 2FA Setup screen to be viewable without being (fully) logged in (optional).