Welcome to the community @copiousfreetime and @lmcmullen - Thanks a bunch for the follow up on this @copiousfreetime 
A quick note for future community users - I’m not positive (yet) that there is an equivalent to this using Actions, but going to route mentioned requiring multi-factor auth set to “Never” in Security → Multi-Factor Auth.
exports.onExecutePostLogin = async (event, api) => {
//skip mfa for users with skip_mfa flag in app_metadata
const userAppMetaData = event.user.app_metadata;
if (!(userAppMetaData.skip_mfa == true)) {
console.log(`user ${event.user.email} mfa enforced`)
api.multifactor.enable(`any`);
} else {
console.log(`user ${event.user.email} skipped mfa`)
}
};
Hope this helps!