I very much agree with Eric that all users should have the option to enable MFA. I can't think of any advantage to limiting that option to only some users, especially since it's not just super admin roles with access to patron data.

SSO is a great suggestion as well, though I'm sure that would be a much more complicated solution to implement and I'd rank MFA as a higher priority.

I strongly support requiring Multi-Factor Authentication (MFA) for all users, regardless of role, as a critical step in strengthening overall security. Instead of creating a standalone MFA solution specifically for LX Starter, a more efficient approach would be to allow customers to configure Single Sign-On (SSO) with MFA through their existing identity management systems, such as Microsoft Entra ID or Google. This strategy enables customers to use their own trusted systems for MFA validation, consolidating authentication within a single, familiar platform. By reducing the need for multiple authentication sources, this approach simplifies security management, minimizes friction for users, and enhances control over access.