I have repeatedly approached this and repeatedly got shot down.

Even when I suggested the 2FA plugins were enabled by default so that their features were at least seen and not hidden (The tabs in edit user screen don't show until the plugins are enabled), and that idea got shot down. :-(

@PhilETaylor .. i don't understand it why.. Besides functionality.. Security schould be default.. (GDPR demands.. Security by default and Security by design)..
I can understand why its not enabled by default.. but a message (after installation) or Security check schould notify the admin of the existance and use..
And if you enable you should be able to manage (force 2FA or option).. in the core there is now option to force 2Fa..

luckly for us.. there is a 3rd party solution for this..
Akeeba LoginGuard... offers al the options you whant.. incl. force the use of 2FA at login..
i

Like you said, there are third party solutions that are already available to fix this in Joomla, while that is the case, Joomla will probably never change its mind on running a "security first" project, instead of a "lets not upset users" project...

Thats the "joy" of a mass distributed project that has to cater for the "worse" and the "best" users. People still view "security" as a pain in the arse, instead of something to be celebrated and educated

(My 11 year old has her own Laptop with FileVault enabled, Her own GPG key, SMIME email encryption enabled on all her iDevices, and her own Yubikey! She was not the only person in her class at school to enable 2fa on her School Office365 account! - Educating people about security is not as difficult as people make out!)

So if you search this tracker you will see that your request has been made many times, and many times it has come to a dead end.

As @mbabker already said to you

Come up with a way to do it that does not lead to user confusion (UX fail) and submit a pull request. I will bend over backwards to personally see your PR is reviewed at the expense of one of the other 97 things I probably should be doing at the time. Ball's in your court because I for one don't have the time to be doing pretty much anything else right now.

indead... that is the main issue i think..
But security does not have to be hard, user unfrendly etc.. furthermore.. when hacks of joomla websites go public.. its killing for the project..
and when the integrate security by default and design.. other extentions can rely on that and not create al there own security settings.. One Security place for the complete site..

perhaps a sepperate distribution.

1. Joomla basic (current settings)
2. Joomla Secured (firewall, 2FA, Backend Security, database Security, CRC checks, unable to install (non approved) extentions outsite extentions.joomla.org). etc..

@brianteeman

As @mbabker already said to you

Come up with a way to do it that does not lead to user confusion (UX fail) and submit a pull request. I will bend over backwards to personally see your PR is reviewed at the expense of one of the other 97 things I probably should be doing at the time. Ball's in your court because I for one don't have the time to be doing pretty much anything else right now.

take a look at Akeeba LoginGuard.. the already made it.. and user friendly..
just adept it in the joomla core.. thats all fokes..

#20373 (comment)

Please test PR #26253