The good news is that I found the command to disable 2FA in the config file! Apparently at least one of my predecessors appears to dislike it as much as I do!
So I set it to enabled, and guess what? It leads to the system requiring 2FA
no matter what, even though I have it set in the admin control panel to be OFF by default!
Perhaps then one of my predecessors liked 2FA fine, but discovered what I did, that enabling it even as an option in our configuration forces it to be required for everyone, and that is an absolute 100% no go.
This is going to require a LOT more research than the five hours that I've put into it thus far, and it's also going to require some experimenting, which will include periods where, yes, 2FA will be required for everyone. That's an absolutely hideous scenario, and I can't apologize enough for it, but this is what it's going to take to crack this nut.
I'm also not hopeful for getting help from the XF gurus, who are so far telling me, "Dude, it's gone because you commented it out on purpose. If you want it back, edit your config file to turn it back on" -- which I did and discovered that it causes problems that I can't troubleshoot without leaving it on for everyone for as long as it takes me to solve the problem.
At this rate, that might take days. Maybe a lot of 'em. As noted above, this is indeed a default feature in XenForo, but it is NOT working as documented. The problem is clearly related to something specific in
our configuration -- which again, I did not install, and nobody who did is even working in this field anymore, much less at UU.
I don't give up easily, but I'm also not liking the scale of the effort for this solution so far, relative to what it will provide.
Again, not putting this off or saying no in any way. I'm trying, but it's been a while since I've spent this kind of time on a project with NO good results. That is, I've had plenty of results, and they all stink.
So I'll ask -- how much is this worth to you? How many other problems should I be putting off trying to address this right now? Maybe rank it on a scale of 1 to 10 for urgency? Has something happened to make your account feel suddenly less secure?