GITBOOK-443: per-location MFA config ADR

defguard-community · gitbook-bot · commit 916a609c5b8c · 2025-07-22T08:10:43.000Z
diff --git a/in-depth/architecture-decision-records/1.5.md b/in-depth/architecture-decision-records/1.5.md
@@ -1,3 +1,11 @@
 # 1.5
 
-TODO
+## 2025-07-22 Per-location MFA settings
+
+Until this point enabling MFA for a location has been a simple on/off toggle for each location. Since using an external OIDC provider (e.g. Google) for client MFA was introduced in [#1264](https://github.com/DefGuard/defguard/pull/1264) we now need to configure which type of MFA (internal or external) a given location is using.
+
+In practice this means that within core the `WireguardLocation` struct no longer has an `mfa_enabled` boolean field, but instead uses a `location_mfa_mode` field. This field uses a `LocationMfaMode` enum with three possible values (for now): `Disabled`, `Internal` and `External`.
+
+To retain compatibility with legacy clients [our protos were updated](https://github.com/DefGuard/proto/pull/40) to include the new field as optional and `mfa_enabled` field was marked as deprecated, but not yet removed. It will now be set to `true` only if a location uses internal MFA which allows pre-1.5 clients to work as before with new core releases.
+
+Since the new field is optional and `mfa_enabled` is still present, new client can still use a pre-1.5 core for internal MFA.
