Question for us: Does the IdP pass along the information of whether or not the user performed MFA to the SP?
I’m thinking of the analogous mechanism to U2F / FIDO - the program can ask for an attestation from the device as to the level of user interaction expected/required for the credential.
If Discourse ID… or similarly any other IdP (SAML? oAuth2? OIDC?) passes this information along to the SP it would be a piece of information we could potentially use.
If not we’re kind of stuck needing to implement MFA post-federated login to get this guarantee.