Support enforcing 2FA

This is a part of stackspin#1570 (closed). To enforce 2FA, it's not enough to set the required_aal settings in Kratos to highest_available, because that poses no restriction as long as the user has not set up their 2FA. We want to check, probably during the consent stage, that the user has an aal2 session (i.e., 2FA) and if not, reject the consent request and redirect to the Kratos settings with a message explaining that they really need to set up 2FA before they can use Stackspin.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

Admin message

Support enforcing 2FA