Improvement for 2FA

[stewrg]

When enabling 2FA is is not clear to the user that the new device must be Enabled.

I have had several users click past the enablement stage, which means they then block themselves by repeatedly entering a password AND the generated 2FA code - unaware that they have not enabled the device.

Is it possible to force the user to enter the enablement code before returning to other parts of the platform?

[bapril]

Yes, add banner indicating that the token has to be activated below the QR, also add the form for said token activation. Good call!