ESCALATED: User must have verified email before enabling 2FA

Description:

1- attacker register with victem email (that not be a user at gitlab)

2- attacker could login without email verification

3- attacker could enable 2FA without email verification

impact: when user want to register his mail at gitlab and find that some one make an account with his mail he will make a reset password and he will change his password but he cant access the account because 2fa activated by attacker first

Proposal

Don't allow 2FA configuration with an unverified email address.