Assuming that you haven’t disabled 2FA altogether, this is probably an artifact of Hosted Login’s support for trusted devices. With trusted devices, a user logs on the first time and is required to go through the 2FA process. As part of that process, however, the user can mark their device as a “trusted device.” That means that, for a specified period of time (and under certain conditions) the user is exempt from two-factor authentication: after they log on they’re given an access token and are allowed to bypass the 2FA process. By default, users can go 30 days without having to deal with 2FA; that means they can go quite awhile (like, say, 30 days) without ever being prompted to enter a 2FA access code. (Again, assuming that they are logging on from a trusted device.)
The bottom line? It’s not unusual for users to go through 2FA the first time they log on, then be able to bypass 2FA for weeks at a time.
You say you’re not sure you like that? That’s fine: by adding theauthentication.second_factor.trust_device_ttl setting to your application client you can change the 30-day exemption period to something shorter; in fact, by setting authentication.second_factor.trust_device_ttl to 0 you can require users to use 2FA each and every time they log on. See this article for details.