Insecure MFA begin: no per-user secret, no nonce, bypass enabled.

Visiting this with ?mfa=ok sets MFA as passed.
Verifier accepts 000000 as a universal code.

Example bypass link (demo): https://owaspsecure.com/demo/a07_auth/attacks/mfa_flow/begin_insecure.php?mfa=ok