Ensure that all Arch staff and external contributors are forced to use OTP
Acceptance criteria:
While logging into Keycloak...
-
a normal user isn't forced to set up OTP if they didn't do so before -
a normal user is forced to provide exactly one OTP if they set it up before -
a Staff-role user is forced to set up OTP if they didn't do so before -
a Staff-role user is forced to provide exactly one OTP -
an External Contributor-role user is forced to set up OTP if they didn't do so before -
an External Contributor-role user is forced to provide exactly one OTP -
upon removing an active OTP device from Keycloak, same rules are applied as before when the user didn't have OTP set up at all