The current 2FA enrollment allows a user to enroll for 2FA without testing that the enrollment went OK.

The enrollment interface is a bit confusing and sometimes users just scans the QR-code with their phone camera instead of scanning it within Google Authenticator and as a result a 2FA profile is not actually created.

It shouldn't be possible to complete the enrollment without a successful authentication test.

By the way - the field where one can test 2FA on the enrollment screen is barely noticable - I have had MANY users that didn't see it as a field.