As a user, I want to be able to enable 2FA for my ephios account.
We could also require it for administrators or specific actions.

https://github.com/mkalioby/django-mfa2 looks good, https://github.com/CZ-NIC/django-fido as other option

I think nowadays 2FA or login with passkey/certificate as a security standard should at least be available everywhere as an option. It would also be conceivable to have an individual setting option as to whether 2FA is mandatory and an individual setting option for how long and complex the passwords must be. So 2FA options should, if possible, include email, authentication app, backup codes and yubikey (https://github.com/mkalioby/django-mfa2 looks good an has all all these requirements). The most important thing is 2FA protection for the admin account.