Added checks for 2FA to the API `/sessions` endpoint and the Resource Owner Password Credentials flow.