Make it possible to make 2FA mandatory
Some clients need 2FA to be mandatory for their cluster. This requires a bit of addition to our login code, so it can check the kratos-provided security level and if insufficient reject the consent request and redirect to 2FA.
This needs to be configurable, though for now it's fine it that's done "manually" through per-cluster override of a helm value.