"Require 2FA" should be renamed
I have seen several different users who believed "Require 2FA" can be used to decide whether or not a second factor is required on connection, depending on what authentication method was used in the Choice module.
A typical case is: No 2FA required when SSL or Kerberos is used.
These users generally assume "Require 2FA" has to be set to something like $_auth ne 'Kerberos'
, which is wrong.
I think the option name is confusing, since this option does not make 2FA a requirement when enabled. It only forces registration of registrable providers.
At the very least we should rename this option "Force 2FA registration at login", to make it clear this option only affects registrable providers.
Do you agree?