2FA doesn't seems to be mandatory even with "Require all users in this group to setup Two-factor authentication" enabled

Summary

When Require all users in this group to setup Two-factor authentication option is enabled for a group and a grace period is used, if that grace period is later reduced or set to 0, users that skipped enabling two factor earlier will not be required to do so until the original grace period expires.

Steps to reproduce

1. Create a new group
2. Enable the Require all users in this group to setup Two-factor authentication option from the group's general settings
3. Set the grace period to a non-zero value
4. Add a user to the group that does not have 2FA enabled.
5. Observe the user is requested to enable 2FA, but is given a grace period.
6. Skip configuring 2FA.
7. Go back and change the grace period to 0.
8. Observe that the user is not force (nor requested) to enable 2FA, unless the user signs out and back in, or until the original period expires.

Possible solution

The problem lies in the EnforcesTwoFactorAuthentication class. #check_two_factor_requirement is called, which checks whether to skip 2FA. However, neither the conditional in #check_two_factor_requirement nor the #skip_two_factor? method calls #two_factor_skippable?.

A solution for this would be to add to the #skip_two_factor method as follows:

def skip_two_factor?
  two_factor_skippable? && session[:skip_two_factor] && session[:skip_two_factor] > Time.current
end