Require confirmed email to enable 2FA

app/controllers/profiles/two_factor_auths_controller.rb

@@ -221,7 +221,7 @@ class Profiles::TwoFactorAuthsController < Profiles::ApplicationController
   end
 
   def ensure_verified_primary_email
-    return unless Feature.enabled?(:ensure_verified_primary_email_for_2fa)
+    return unless Feature.enabled?(:ensure_verified_primary_email_for_2fa, default_enabled: :yaml)
 
     unless current_user.two_factor_enabled? || current_user.primary_email_verified?
       redirect_to profile_emails_path, notice: s_('You need to verify your primary email first before enabling Two-Factor Authentication.')

config/feature_flags/development/ensure_verified_primary_email_for_2fa.yml

@@ -5,4 +5,4 @@ rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/340151
 milestone: '14.3'
 type: development
 group: group::access
-default_enabled: false
+default_enabled: true

doc/user/profile/account/two_factor_authentication.md

@@ -35,8 +35,19 @@ still access your account if you lose your U2F / WebAuthn device.
 
 ## Enabling 2FA
 
-There are multiple ways to enable two-factor authentication: by using a one-time
-password authenticator or a U2F / WebAuthn device.
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/35102) in GitLab 14.3, account email confirmation required.
+
+There are multiple ways to enable two-factor authentication (2FA):
+
+- Using a one-time password authenticator.
+- Using a U2F / WebAuthn device.
+
+In GitLab 14.3 and later, your account email must be confirmed to enable two-factor authentication.
+
+FLAG:
+On self-managed GitLab, account email confirmation requirement is enabled. To disable this
+restriction, ask an administrator to
+[disable the `ensure_verified_primary_email_for_2fa` flag](../../../administration/feature_flags.md).
 
 ### One-time password