I began looking into enabling MFA for developers. I first began with the following commands:
# Setup posture check of MFA
ziti edge create posture-check mfa global-mfa-check \
-a "mfa-required" \
-w -u \
-s 28800
# Apply to all DIAL services
ziti edge update service-policy dev-dial --posture-check-roles "#mfa-required"
ziti edge update service-policy corp-dial --posture-check-roles "#mfa-required"
ziti edge update service-policy prod-dial --posture-check-roles "#mfa-required"
I could sign in with MFA but my configs under my DIALs always failed even though Ziti successfully accepted my MFA token. Each config said under the Posture Check "MFA (FAILED)".
I removed them and thought, "Let me enable at default for all users":
ziti edge update auth-policy "Default" --secondary-req-totp
Worst mistake. Now whenever I try to login to make changes either through the Ziti Console or CLI I get this response:
ssm-user@ip-10-40-15-120:~$ ziti edge login
Using controller url: https://ziti-corp.ctlr.foo.com:1280/edge/management/v1 from identity 'default' in config file: /home/ssm-user/.config/ziti/ziti-cli.json
Using username: admin from identity 'default' in config file: /home/ssm-user/.config/ziti/ziti-cli.json
Enter password:
Error: totp enrollment is required but no totp enrollment provider was configured
totp enrollment is required but no totp enrollment provider was configured
I think I screwed myself and will probably have to do all my changes all over again 
. Wondering if there is a backdoor in removing the Default MFA and what was I doing wrong in MFA where I want to enforce it.
