Description
2FA shoud be natively supported by the security component, to get more interoperability between projects and support from the community (as well as external bundles provinding specific 2FA features, e.g. U2F).

There are bundles providing support, but most of them are either outdated or not providing a simple, low level API (with a seamless integration in the Symfony security component). They also do not provide the same guaranteed support as Symfony does.

Example
The latest version ofscheb/two-factor-bundle provides a good proof of concept, but the API is too restrictive, high level and some of the validation / handling code for the 2FA is a duplicate from existing code in the security component.

Some of the main low levels features which would be useful:

• Providers/Challengers: used to implement away for validating 2FA
• Activators: used to enable/disabled 2FA for specific providers based on the authentication context
• SecondFactorInterface, which may be used to persist challenges (same use as the UserInterface, but for 2FA)

I guess a new role equivalent to IS_AUTHENTICATED_ANONYMOUSLY would be required, like in the process described here:https://github.com/scheb/two-factor-bundle/blob/master/Resources/doc/index.md#the-authentication-process

[Edit] See this comment for a proposal to unify sudo mode, MFA and remember me:

• [Security] Native support for 2FA #28868 (comment)