“When a user has just configured 2FA via the shortcode page, the page initially looks correct: the “reset grace period” form is hidden and the message “Locked out, two-factor auth is required for your account, but has not been configured” is not shown. However, after a browser reload (F5), both the form and the message reappear — even though 2FA is active and they shouldn’t be there.”
Sorry, just the other way around -> after configuring 2FA by the user you get unexpectedly the form and it vanishes after the page refresh.
Of course the user has no webmaster/admin rights.
