Feature Request: Vault Level MFA Enforcement

Problem Statement
Currently, MFA can be enforced at the account level, which applies universally to all vaults and users. While this provides a strong baseline, it lacks granularity for organizations that manage vaults with varying sensitivity levels. Not all vaults contain equally critical data, and enforcing MFA globally may introduce unnecessary friction for lower-risk use cases.

Proposed Enhancement
Introduce the capability to require MFA specifically for access to designated vaults. This would allow administrators to:

• Enforce MFA only when accessing high-sensitivity vaults (e.g., privileged credentials, production secrets, break glass)
• Maintain a more flexible user experience for lower-risk vaults
• Apply differentiated security policies aligned with data classification

Suggested Functionality

• Admin-configurable MFA requirement at the vault level
• Conditional prompts: users authenticate with MFA only when accessing protected vaults
• Audit logging for vault-level MFA enforcement and access attempts

Use Cases

• Segregation of privileged credentials requiring stronger authentication controls
• Compliance scenarios where specific data sets require step-up authentication
• Organizations implementing tiered security models across teams or environments

Impact / Benefits

• Improved security posture through granular access controls
• Reduced user friction by avoiding blanket MFA enforcement
• Better alignment with enterprise security policies and compliance requirements

Thank you for your consideration.