This step is a huge improvement to account security, but it is quite difficult for non-technical users to understand.
Applications should be able to force MFA if they desire, enabling/disabling different mechanisms they deem fit for purpose.
Options for MFA:
SMS / phone call (easily compromised).
Software TOTP token.
Physical hardware Time-based One Time Password (OTP) token.
Physical hardware U2F token (most secure).
It should be possible for application administrators to disable MFA on individual accounts, after approving gigantic warning messages. This is due to the inevitability of users losing access to their their MFA device. It will come down to the application administrator to validate the identity of the user before doing this.
This step is a huge improvement to account security, but it is quite difficult for non-technical users to understand.
Applications should be able to force MFA if they desire, enabling/disabling different mechanisms they deem fit for purpose.
Options for MFA:
It should be possible for application administrators to disable MFA on individual accounts, after approving gigantic warning messages. This is due to the inevitability of users losing access to their their MFA device. It will come down to the application administrator to validate the identity of the user before doing this.