Since two-factor relies on the default wp_login action, other plugins which use the same action could use an earlier priority, thus leading to two-factor getting circumvented - this results in an unwanted security risk for most WP site owners.

in class-two-factor-core.php
add_action( 'wp_login', array( __CLASS__, 'wp_login' ), 10, 2 );

Since 10 is WP's default priority, various plugins and themes use this action with a priority between -10 to 9 to add a feature - this however means that two-factor might get circumvented by those, which is a major security issue.

I think we should change the priority 10, to -9999, thus ensuring that only devs who actively want to circumvent two-factor authentication also do so.
From a end user's (= WP website owner) perspective this makes the most sense, because: I want to make sure that two-factor is used, no matter which theme/plugins I install. Those should not reduce my site's security by accident.

Theoretically we could also change it to PHP_INT_MIN which would make sure that two-factor is never circumvented - I think this is not a good idea though, as there may be cases where a plugin may want to circumvent two-factor.