2FA not Enforced if a User has an Additional Capability and wpga_active not Set

[asif-anwar]

Hey,

I want to report a corner case. We have enforced 2FA for a select list of roles. But the user is able to log in without 2FA if,

1. The user has a capability directly assign to him in addition to a normal role like this a:2:{s:14:"capability_new";b:1;s:10:"subscriber";b:1;},
2. And wpga_active meta key is not set. We have a lot of cases where the 2FA is active but wpga_active is not set
3. And the capability comes before the role.

Thanks
Asif