Remove controller-level "bypass" check for SP MFA requirement

[aduth]

🎫 Ticket

Supports LG-14455

🛠 Summary of changes

Removes a before_action check from MFA controllers to ensure that a user is only allowed to MFA with a phishing-resistant MFA or PIV/CAC if required by the partner.

These are not effective bypass checks, and are already considered as part of confirm_two_factor_authenticated for final authentication checks of OIDC and SAML. Since weaker MFA options are excluded from the options listing when phishing-resistant or PIV/CAC is required from a partner, the only way a user would be able to visit these pages is by manually crafting the URL. If they were to do this (see "Testing Plan"), they'd still be redirected back to authenticate with a phishing-resistant method or PIV/CAC after authenticating with the other method.

📜 Testing Plan

Verify no regressions of LG-3209 and LG-3185.

Verify that build passes, and notably there are specs with effective bypass attempt checking that still pass.

Attempt to bypass partner requirements, and verify that you are unable:

Prerequisite: Have an account with a phishing-resistant method (ideally PIV/CAC) and at least one phishable method (e.g. phone).

1. Start OIDC sample application or SAML sample application in a separate process
2. Visit sample application
   • OIDC: http://localhost:9292
   • SAML: http://localhost:4567
3. Change "Authentication Assurance Level (AAL)" to "Phishing-resistant AAL2" or "HSDP12 required"
4. Click "Sign in"
5. Sign in with email and password
6. When prompted for MFA, change URL to http://localhost:3000/login/two_factor/sms (or replace "sms" with another phishable MFA on your account)
7. Authenticate with your phishable method. For phone in local development, the code may not populate immediately, so click "Send another code" to auto-fill
8. Observe that you're prompted for your non-phishable method, indicating you're not able to finish authenticating without MFA-ing with a valid method per partner requirements