closing the loop.
Looks like RSA isn’t supported for this. For folks that don’t have an alternative MFA approved for use, we can opt out of TOTP.
If we opt out, there doesn’t look like there is a way to granularly control which accounts can bypass saml. Any account with admin access can bypass saml and bypass any MFA.
Does this leave privileged accounts exposed?