[RFE] Force users to generate TOTP instead of locking them out

[orenwolf]

Right now, if a user ignores the 2FA requirement until the login timeout is reached, they are locked out entirely and unable to log in.

Instead, if they log in successfully, they should instead be told that they MUST generate a code to log-in. This would probably require some sort of check that forces them to a generation page on every action, to make sure they didn't "deep-link" to somewhere in the admin interface to get around the login check (as they'd technically be logged-in correctly).

[julien731]

That would make sense. If an admin forces users to use 2-fa (s)he probably doesn't mind having an annoying prompt that, indeed, forces users to enable it.