Added second factor bypass subcategory

[kelbyludwig]

No description provided.

[kelbyludwig]

There are a few possible variations of this PR and I'm happy to hear feedback on what the maintainers feel is best:

• With this change, it may be worthwhile to update the P1 "Authentication Bypass" item to something like "Complete Authentication Bypass".

• I went with "Second Factor Authentication Bypass", but I think "Second Step Authentication Bypass" or "Partial Authentication Bypass" may apply more generally.

[plr0man]

The JSON looks fine, but Buildkite can't validate PRs that are done in forked repos. I would definitely recommend opening an issue first in the future, that gives us a chance to provide feedback before filing the PR.
I am not convinced by P2 for bypassing second factor only, after all being able to do so is similar to not having 2FA enabled in terms of security impact, at least in most cases. The difference being the account owner trusting a broken defense-in-depth mechanism.
Looks like theInsufficient Security Configurability->Weak 2FA Implementation subcategory would be the entry of choice here, granted it does not have an assigned priority, but context based seems to be appropriate.