Enforcing Two-Factor Authentication