As an additional angle to requiring MFA, authentication policies were recently introduced and have poor documentation and CLI support (working on this, adds list auth-policies by andrewpmartinez · Pull Request #770 · openziti/ziti · GitHub).
Authentication policies have the ability to require TOTP MFA. The default authentication policy in a ziti network does not require it, but it can be turned on. Existing clients with auth policies that require MFA TOTP will have the ability to enroll while partially authenticated (i.e. passed cert/jwt/updb auth but not TOTP MFA).
All said:
- auth policies can require MFA TOTP during authentication (i.e. logging in)
- clients can always decide to have MFA TOTP for authentication regardless of auth policies
- MFA posture checks can require MFA TOTP during authorization (i.e. creating service sessions/connecting)