### Summary When `Require all users in this group to setup Two-factor authentication` option is enabled for a group and a grace period is used, if that grace period is later reduced or set to 0, users that skipped enabling two factor earlier will not be required to do so until the original grace period expires. ### Steps to reproduce 1. Create a new group 1. Enable the `Require all users in this group to setup Two-factor authentication` option from the group's general settings 1. Set the grace period to a non-zero value 1. Add a user to the group that does not have 2FA enabled. 1. Observe the user is requested to enable 2FA, but is given a grace period. 1. Skip configuring 2FA. 1. Go back and change the grace period to 0. 1. Observe that the user is not force (nor requested) to enable 2FA, unless the user signs out and back in, or until the original period expires. ### Possible solution The problem lies in the [`EnforcesTwoFactorAuthentication`](https://gitlab.com/gitlab-org/gitlab/blob/master/app%2Fcontrollers%2Fconcerns%2Fenforces_two_factor_authentication.rb) class. `#check_two_factor_requirement` is called, which checks whether to skip 2FA. However, neither the conditional in [`#check_two_factor_requirement`](https://gitlab.com/gitlab-org/gitlab/blob/e8fb4ef777bf302a678e9c5193309a13b40175e7/app/controllers/concerns/enforces_two_factor_authentication.rb#L19) nor the [`#skip_two_factor?`](https://gitlab.com/gitlab-org/gitlab/blob/e8fb4ef777bf302a678e9c5193309a13b40175e7/app/controllers/concerns/enforces_two_factor_authentication.rb#L61) method calls `#two_factor_skippable?`. A solution for this would be to add to the `#skip_two_factor` method as follows: ```ruby def skip_two_factor? two_factor_skippable? && session[:skip_two_factor] && session[:skip_two_factor] > Time.current end ```