ESCALATED: User must have verified email before enabling 2FA
1- attacker register with victem email (that not be a user at gitlab)
2- attacker could login without email verification
3- attacker could enable 2FA without email verification
impact: when user want to register his mail at gitlab and find that some one make an account with his mail he will make a reset password and he will change his password but he cant access the account because 2fa activated by attacker first
Don't allow 2FA configuration with an unverified email address.