The current 2FA implementation is extremely lacking. I only seem to be able to find the prompt to scan a 2FA code after first toggling it on, and then from the administrator panel when lookup up users. Virtually every other 2FA I've configured gives an option in user settings to manage their 2FA codes. Without letting users do that you are asking for lockout issues if a user has to get a new phone, this should not be hidden in the User administration area, unless admins want to hide that from users.

Furthermore, we should have more fine-grained settings to set 2FA requirements based on role, and have the ability to exempt the built in Admin account from 2FA, since it's extremely dangerous not to have a fallback in case 2FA does not work.