TPA-RFC-46: enforce 2FA for TPA members

i would like us to enforce 2fa for the tpo/tpa group. there is a setting in this group here that says:

All users in this group must set up two-factor authentication

there is also a field that sets a grace period (default 48h) to enforce it. i would like to push that button. maybe i should make an RFC but for now a ticket will do.