After some more thought, the issue with requiring 2fa is that we need to support all the different types of 2fa (backup code, totp, hardware key), which requires quite a bit of refactoring. Also, at the moment, adding 2fa won't increase security, since a user can regenerate their totp token/get new backup codes without any re-authentication.

I think adding 2fa to this should be part of a future change where we harden everything together, and is out of the scope of the current PR.

Originally posted by @Ninjaclasher in #2290 (comment)