Limit MFA scope to member groups

Overview

We've heard from project teams that adding MFA to some sites is blocked if the project includes members that do not have access to the CMS.

In these cases, Site Owners would like the MFA flow to only apply to certain users that have some level of access to the CMS.

A common example is where member profiles are being used to store customer login details for a separate portal managed within the site.

Options

In both of these options, if a user has already registered MFA for their account, they will continue using MFA each time they log in regardless of MFA settings.

Regardless of which option we select, we have to decide:

Is being prompted to register with MFA the first time you log on necessary for anyone who has the option of using MFA? (I strongly recommend yes)

Option 1: If you're not in the group, you can't register MFA for your account

This is the behaviour of the existing PR.

By default, no group is selected and the behaviour applies to everyone
You can select groups for both making MFA optional and for making MFA required.
If you select one or more groups, only members of those groups will be prompted to or allowed to register for MFA

Option 2: Groups only apply for making MFA required

This was suggested (and designed for) in https://github.com/silverstripe/silverstripe-mfa/pull/409#issuecomment-725774762 but later rejected in favour of option 1

By default, no group is selected and the behaviour applies to everyone
If you make MFA optional, you cannot select groups. Optional is optional for everyone
If you make MFA required, you can choose to only make it required for specific groups. For anyone not in those groups, MFA will be optional - i.e. the behaviour for them will be identical to how it is when setting optional for everyone.

silverstripe / silverstripe-mfa