Nothing hardcoded. Admin mixes login factors freely and assigns the rule per department or per person. Most-specific wins: person → department → default. Tap a row to edit + preview.
Login policies
A person rule overrides their department rule, which overrides the default. So you can set one employee differently from the rest of their team.
Apply this rule to:
Person:
—
Required factors for this scope (any combination):
New-device approval options — a login from a new hardware/software fingerprint needs admin approval.
Skip approval if signed in with a registered USB stick:
Auto-trust this device for:
visual draft · mock · the engine is configurable per dept/person — these rows are examples, not fixed.
Approve the shape → I write the plan + build it (auth = the right hard path).