# 1.5

## 2025-07-22 Per-location MFA settings

Until this point enabling MFA for a location has been a simple on/off toggle for each location. Since using an external OIDC provider (e.g. Google) for client MFA was introduced in [#1264](https://github.com/DefGuard/defguard/pull/1264) we now need to configure which type of MFA (internal or external) a given location is using.

In practice, this means that within core the `WireguardLocation` struct no longer has an `mfa_enabled` boolean field, but instead uses a `location_mfa_mode` field. This field uses a `LocationMfaMode` enum with three possible values (for now): `Disabled`, `Internal` and `External`.

To retain compatibility with legacy clients, [our protos were updated](https://github.com/DefGuard/proto/pull/40) to include the new field as optional and `mfa_enabled` field was marked as deprecated, but not yet removed. It will now be set to `true` only if a location uses internal MFA, which allows pre-1.5 clients to work as before with new core releases.

Since the new field is optional and `mfa_enabled` is still present, new client can still use a pre-1.5 core for internal MFA.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.defguard.net/2.1/in-depth/architecture-decision-records/1.5.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.