Problem statement
We need MFA to be turned on by default in production so I need to set the policy to ‘always’.
However I only want SMS on one app, and SMS and authenticator on another app.
Can this be achieved in Actions with the setup above?
Solution
For this use case, we don’t quite have an option that exactly fits. When more than one allowed MFA factor is enabled, the user will be prompted to enroll in whatever the most secure factor is, and between SMS and OTP, OTP is considered the more secure option. Actions can only specify between 'any ', 'duo ', 'google-authenticator ', and 'guardian ', therefore we do not have the ability to isolate just SMS as the only allowed factor to enroll in. If you set it to ‘any’, users will first be prompted to enroll in OTP, though they can select “Choose another method” on the enrollment page and then choose SMS.
So while we cannot prevent OTP as an option for enrollment for a specific app, we can display both options to the user if you enable “Show Multi-factor Authentication options” in the Additional settings section of the MFA page in the Dashboard.