2FA requirement for roles
Roles should have the option to require users to have setup 2FA for the role to be in effect. If a user with such a role has not setup 2FA, he should see an alert on the selfservice page and simply not have the additional groups granted by the role.