# 1.5

## 2025-07-22 Per-location MFA settings

Until this point enabling MFA for a location has been a simple on/off toggle for each location. Since using an external OIDC provider (e.g. Google) for client MFA was introduced in [#1264](https://github.com/DefGuard/defguard/pull/1264) we now need to configure which type of MFA (internal or external) a given location is using.

In practice, this means that within core the `WireguardLocation` struct no longer has an `mfa_enabled` boolean field, but instead uses a `location_mfa_mode` field. This field uses a `LocationMfaMode` enum with three possible values (for now): `Disabled`, `Internal` and `External`.

To retain compatibility with legacy clients, [our protos were updated](https://github.com/DefGuard/proto/pull/40) to include the new field as optional and `mfa_enabled` field was marked as deprecated, but not yet removed. It will now be set to `true` only if a location uses internal MFA, which allows pre-1.5 clients to work as before with new core releases.

Since the new field is optional and `mfa_enabled` is still present, new client can still use a pre-1.5 core for internal MFA.