twofactor_auth bypassable if provider fails to load

(Just want to preface this by saying that this is probably not a significant vulnerability, as it requires that the server either have recently been incorrectly upgraded or otherwise misconfigured. However in the administration of my own personal NextCloud instance I have hit this several times.) This is a general trait of 2FA provider failures. If you enable 2FA for any given user on NextCloud, and the 2FA provider fails to by enabled for whatever reason (such as an upgrade which made the 2FA provider incompatible, or the 2FA provider source code was removed or corrupted somehow) then 2FA will be bypassable for all accounts on the system. While this may not seem like a significant issue, since twofactor_auth providers are not part of the main NextCloud server source, upgrading the main server (either through the official updater app, or manually) will result in twofactor_auth being disabled if the provider has not been updated. Thus there is a window around upgrading the NextCloud server where an attacker can bypass 2FA. Ultimately the solution to this problem would be to *always* require 2FA if 2FA has been enabled, and if a provider is not available you must require that the user enter one of their backup codes. I'm not sure how backup codes are currently implemented, but if they're implemented in the server (rather than individually by each 2FA provider) this should not be overly complicated to implement. I have only tested this with the TOTP 2FA provider, but I would be surprised if it didn't affect all 2FA providers. ## Impact Attackers being able to bypass 2FA means that keyloggers or other tools could be used to steal the users' passphrase, and then the attacker could gain access while the user would expect the attacker to require access to their 2FA token.