Two factor authentication was enabled for groups with elevated privileges (like sre). Users outside of this group may also have elevated permissions through maintainer permissions in certain projects. This allows users to merge changes or schedule CI jobs in the trusted environment.
We should consider enforcing 2FA for this group of users as well. The group is more heterogeneous. So enabling 2FA is a bit more complicated and would require custom tooling (like a script looping over every user with maintainer permission and enabling 2FA).
Maybe it makes sense to enable 2FA instance wide instead of creating more custom tooling for access control.