Even when the organisation does not require 2FA, users should have the option to enable 2FA. A logged-in user should be able to reset or disable their 2FA it.