initially, the idea was to make the server enforce it. this is more secure. however,
we have 3 kinds of clients - an external cloudron dashboard which needs totp,
an external cloudron app, which doesn't have totp and external apps that don't have totp either.
given that the directory server is IP restricted, this is a reasonable compromise until
we move wholesale to oidc.
a directoryserver setting like "enforce totp" also does not work since this policy will be
applied to all clients.
