To check the user's TOTP key registration status and enforce 2FA settings, you should implement this in the POST_AUTHORIZE hook handler of the manager. If a TOTP key is not registered and the force-2FA option is activated, the handler should return the token value in a bad request response.

(Note: It is challenging to allow the hook handler to return a redirect response (3xx) instead of a 400 error.)