Allow enforcing 2FA/MFA for different user groups Google Auth and Hardware 2FA in the same was as for E-mail 2FA.
I think this might not have been implemented because you’re in a loop when users haven’t got 2FA/MFA configured, but have it enforced, which creates a problem to logon. Obviously this isn’t an issue for E-mail 2FA as the user has control of their registered e-mail address.
There are two ways I can think of to handle this (and implementing both would be good):
1) When a user that is in a group that requires 2FA through Google Auth and/or Hardware 2FA logs in but isn’t registered, force them to configure these options before completing logon in the same way as a Shield controlled expired password.
2) Allow an admin to give notice to users of X number of days. For those having the policy applied initially, this will be X number of days from turning on enforced 2FA. For new users, it will be X number of days after registering. (There should also be the option of setting 0 number of days for immediate impelmentation through number 1) above).