Re: enable 2fa for UAA zone
> We see the UAA more frequently used as an identity proxy than as an IdP
This may be true because UAA doesn't support MFA.
cloud.gov runs its own IdP simply because MFA is not supported by UAA. To quote from Bret Mogilefsky from https://github.com/cloudfoundry/cf-deployment/pull/540
> This is a shocking disappointment. The cloud.gov team predicated a chunk of their roadmap on the understanding that MFA was staying.