Allow Org to enforce 2FA usage

<img width="2534" height="786" alt="Image" src="https://github.com/user-attachments/assets/f9864031-5680-4e25-8dfb-e5a0a306cd34" />
Same as supabase does.

This should force users to have MFA setup in they account.
This setting should let apikey work without MFA.