add default token auth config on install, upgrade and add it to sample config

config/config.sample.php

@@ -194,6 +194,13 @@ $CONFIG = array(
  */
 'session_keepalive' => true,
 
+/**
+ * Enforce token authentication for clients, which blocks requests using the user
+ * password for enhanced security. Users need to generate tokens in personal settings
+ * which can be used as passwords on their clients.
+ */
+'token_auth_enforced' => false,
+
 /**
  * The directory where the skeleton files are located. These files will be
  * copied to the data directory of new users. Leave empty to not copy any

lib/private/User/Session.php

@@ -368,6 +368,9 @@ class Session implements IUserSession, Emitter {
 			array('uid' => &$username)
 		);
 		$user = $this->manager->get($username);
+		if (is_null($user)) {
+			return true;
+		}
 		// DI not possible due to cyclic dependencies :'-/
 		return OC::$server->getTwoFactorAuthManager()->isTwoFactorAuthenticated($user);
 	}