inherit require 2fa for all subgroups and projects

What does this MR do?

Me as a group owner, I want the require 2FA property to be inherited across all my subgroups and projects. So in this MR the set of users is extended to include all users of sub-groups and projects (of the group or subgroups).

If the decision was taken, that a group needs to have two factor authentication, this indicates that high security requirements are needed. as there is the possibility to have subgroups and projects in a group, it is quite plausible that this high security requirements also apply for this subgroups and projects. So it would be much more intuitive when the 2FA requirement is propagated to the subgroups and all projects. It seems wrong that people added in subgroups or on project level do not need tho have 2FA.

Does this MR meet the acceptance criteria?

• Changelog entry added, if necessary
• Documentation created/updated via this MR
• Documentation reviewed by technical writer or follow-up review issue created
• Tests added for this feature/bug
• Tested in all supported browsers
• Conforms to the code review guidelines
• Conforms to the merge request performance guidelines
• Conforms to the style guides
• Conforms to the database guides
• Link to e2e tests MR added if this MR has Requires e2e tests label. See the Test Planning Process.
• Security reports checked/validated by reviewer

The development of this MR is sponsored by @ siemens (/cc @bufferoverflow).

doc/security/two_factor_authentication.md

@@ -30,20 +30,22 @@ period to `0`.
 
 ## Enforcing 2FA for all users in a group
 
+> [From](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/24965) GitLab 12.0, 2FA settings for a group are also applied to subgroups.
+
 If you want to enforce 2FA only for certain groups, you can enable it in the
 group settings and specify a grace period as above. To change this setting you
 need to be administrator or owner of the group.
 
-- Since GitLab 12.0 2FA is inherited for members of sub groups as well
+The following are important notes about 2FA:
+
 - If you share a 2FA enabled group with another group, the members of the other
-  group will **not** be forced to enable 2FA!
+  group are not required to use 2FA.
 - Users that are member of a project that is shared with a 2FA enabled group are
-  not enforced to use 2FA.
+  not required to use 2FA.
 - If you add additional members to a project within a group or subgroup, 2FA is
-  not enforced for those members
-
-If there are multiple 2FA requirements (i.e. group + all users, or multiple
-groups) the shortest grace period will be used.
+  not required for those members.
+- If there are multiple 2FA requirements (for example, group + all users, or multiple
+  groups) the shortest grace period will be used.
 
 ---