My expectation from the above code is as follows:
If the user has previously enrolled in MFA and they meet either of the two requirements needed for MFA (location change or last login date > 30 days ago - they are challenged with the MFA.
If the user hasn’t previously enrolled then they should be sent to the screen where they can scan a QR code for authenticator app and enroll with MFA.
As it stands, the api.authentication.enrollWithAny([{type: 'webauthn-roaming'}, {type: 'otp'}]); line isn’t doing anything. The user is authenticated without any MFA challenge or enrollment.