We need a way, for certain wikis to force certain users to use OATHAuth.
There are two (somewhat complimentary) possible approaches:
* Refactor OATHAuth to use AuthManager for enabling/disabling (in-progress patch: https://gerrit.wikimedia.org/r/#/c/294861/), then write a `SecondaryAuthenticationProvider` that asks for 2FA to be set up after a successful login. (`ResetPasswordSecondaryAuthenticationProvider` is an example.) This is good when we want to completely lock users out of the wiki until they have set up 2FA but is less effective for already logged-in users who get promoted into a new user group.
* Use the [[https://www.mediawiki.org/wiki/Manual:Hooks/UserGetRights|UserGetRights]] hook to disable sensitive permissions until 2FA is set up, and find some way to communicate to the user what is going on. This is good when we only want to require users with access to a certain permission to use 2FA, but the communication part seems messy.