The most logical place that I see MFA being applied is at login.
I agree that having to go through MFA each login is not a great user experience.
In that sense, why not maintain an authenticated session, letâs say 30 mins, where you have to login with MFA at beginning and for next 30 mins you wonât need to go through MFA again?
As @OJFord said, the customers may not always know whatâs the best, hence why decisions such as those related to security should be enforced by the service and not left up to the users.