Auth mfa enrollment without email verification

Users are allowed to enroll in Multi-Factor Authentication (MFA) before their email address is verified. This could allow a malicious actor to register with an email they don't own, add an MFA factor, and then lock out the legitimate owner of that email.