[MFA] Add setting for disabling reauthentication

[mecampbellsoup]

I was surprised to discover that ACCOUNT_REAUTHENTICATION_REQUIRED does not apply to MFA behavior, so there's no way to disable requiring reauthentication when a user seeks to turn MFA on.

Is this intentional or just a result of the MFA stuff being fairly new?

[pennersr]

This was intentional. Turning on/off MFA is a very security sensitive step -- you can get completely locked out of your account if somebody turns it on for you while you are grabbing a coffee. Requiring reauthentication for the regular account management pages is less problematic and also fairly non-standard, which is why that is put behind a setting.