AphrontRequest has some crufty old magic around passthrough parameters.
As MFA has come to more places, we have an increasing number of checks against isFormOrHisecPost(). This distinction is probably needless and we can likely remove this method in favor of just isFormPost().
The isContinueRequest() is used exclusively to confirm that you want to apply a partial set of transactions, some of which will have no effect. This magic is undone in the MFA workflow and probably does not need to be magic at all.
The __preview__ magic is probably fine as preview or similar, not a piece of magic.
Generally, it would be good to get all the application-specific stuff out of AphrontRequest. Fundamental infrastructure things like __ajax__ and probably __workflow__ are fine, but __continue__, __preview__, etc., are probably not good fits for request magic.
- Submit a task transaction with "Sign With MFA", a no-op edit (e.g., "Change Projects" with no changes), and a comment. You should be prompted to confirm that you want to only post the comment ("Some transactions have no effect"), then prompted for MFA, then the partial transaction set should submit.