Prior, if the user enabled 2FA, then disabled it and came back some time
after the grace period expired, they would be forced to enable 2FA
immediately.