BastionZero uses two roots of trust to authenticate users in your organization. The first is your SSO provider. The second is an independent BastionZero MFA.
All new BastionZero organizations are created with BastionZero MFA enabled by default. BastionZero MFA is organization-wide and cannot be disabled for the entire organization. However, administrators within that organization are able to enable/disable an individual user's MFA. Please note that in order to do this, the user must first log in and set up their MFA. Only after the account has been established can an administrator disable, re-enable, or reset the individual MFA.
To verify that organization-wide MFA is enabled, access the Security Settings page by choosing the gear icon in the top right corner of the web app. Navigate to "System Controls" underneath "Security."
To verify that your organization-wide MFA is enabled, navigate to Security by using the gear in the top right corner of the web app.
Thus all BastionZero clients must submit the BastionZero factor before the authenticated SSO user is granted access to the BastionZero service.
This creates a true MFA authentication system where your user's credentials is one factor, BastionZero's is a second, and assuming you have your SSO factor enabled (which we do as a security best practice) is a third.