From 321d66766f3ed5fb4292ebc894285abce28b4a3e Mon Sep 17 00:00:00 2001
From: joerger <bjoerger@goteleport.com>
Date: Mon, 30 Sep 2024 13:30:59 -0700
Subject: [PATCH] Enforce Admin MFA in clusters where MFA is required and OTP
 is disabled.

---
 api/types/authentication.go | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/api/types/authentication.go b/api/types/authentication.go
index fd81f21c81fa9..6a0d7f40a453e 100644
--- a/api/types/authentication.go
+++ b/api/types/authentication.go
@@ -372,10 +372,10 @@ func (c *AuthPreferenceV2) IsSecondFactorWebauthnAllowed() bool {
 		c.Spec.SecondFactor == constants.SecondFactorOn
 }
 
-// IsAdminActionMFAEnforced checks if admin action MFA is enforced. Currently, the only
-// prerequisite for admin action MFA enforcement is whether Webauthn is enforced.
+// IsAdminActionMFAEnforced checks if admin action MFA is enforced.
 func (c *AuthPreferenceV2) IsAdminActionMFAEnforced() bool {
-	return c.Spec.SecondFactor == constants.SecondFactorWebauthn
+	// OTP is not supported for Admin MFA.
+	return c.IsSecondFactorEnforced() && !c.IsSecondFactorTOTPAllowed()
 }
 
 // GetConnectorName gets the name of the OIDC or SAML connector to use. If