gitlab 16.8 release notes say:
You can now enforce whether GitLab administrators are required to use two-factor authentication (2FA) in their self-managed instance. It is good security practice to use 2FA for all accounts, especially for privileged accounts like administrators. If this setting is enforced, and an administrator does not already use 2FA, they must set up 2FA on their next sign-in.
It felt like we already do that but since this is advertised as a new feature since our upgrade yesterday/today we should check and enable it.