MFA Enforcement

What this surface does

MFA Enforcement shows which admins have multi-factor authentication enrolled (TOTP) and lets you flip the per-role enforcement requirement. Admin role is MFA-required by default (migration 170).

When to use it

• Onboarding a new admin — confirm enrollment before granting access.
• Auditing — every admin should show "enrolled" status.
• Lockout recovery — an admin who lost their TOTP device needs an unenroll + re-enroll path.

Key gotchas

• Disabling MFA enforcement for the admin role is a security regression — the migration requires it. Do not toggle off without a documented reason.
• Lockout recovery is a manual flow — see the runbook. Do not unenroll without verifying identity out-of-band.
• Backup codes are single-use and consumed silently. An admin near zero remaining codes needs new ones.

Related

• Admin MFA recovery runbook
• Account Lockouts, Audit Log.