[security:low] 2FA bypass with sfOnlyUpgrade and totp2fDisplayExistingSecret

Concerned version

Version: 2.0.11

Summary

• Configure "Use 2FA for session upgrade"
• Configure TOTP with "Display existing secret" enabled
• Steal a user's password and login with it
• Go to 2FA manager, click TOTP
• Scan the user's existing TOTP to your own device, and profit. on backends

Possible fixes

Either

• Remove the ability to display existing 2FA secrets Or
• Protect existing secret from being displayed when current authentication level is too low

Depending on #2541 (closed)