It doesn't make sense to try and grant anonymous users the ability to activate 2fa, and it leads to Manage Two-factor authentication being listed for anons at, eg, https://foundation.wikimedia.org/wiki/Special:SpecialPages
Instead, it should be granted to users, and revoked from them, as needed
This requires
- Preemptively revoking from users, in addition to revoking from *, in WMF config
- Updating extension.json
- Removing the revocation from * in WMF config
Hence also tagging as a site request