Where does the force URL parameter come from in the MFA setup page?

I noticed that the force prop in the MFA setup component is taken directly from the URL:

/ui/v2/login/mfa/set?loginName=XXX&force=false&checkAfter=true&sessionId=XXX&requestId=oidc_V2_XXX&organization=XXX

/ui/v2/login/mfa/set?loginName=XXX&force=false&checkAfter=true&sessionId=XXX&requestId=oidc_V2_XXX&organization=XXX

/ui/v2/login/mfa/set?loginName=XXX&force=false&checkAfter=true&sessionId=XXX&requestId=oidc_V2_XXX&organization=XXX

/ui/v2/login/mfa/set?loginName=XXX&force=false&checkAfter=true&sessionId=XXX&requestId=oidc_V2_XXX&organization=XXX

In the code:

<ChooseSecondFactorToSetup
  userId={sessionWithData.factors?.user?.id}
  loginName={loginName}
  sessionId={sessionWithData.id}
  requestId={requestId}
  organization={organization}
  loginSettings={loginSettings}
  userMethods={sessionWithData.authMethods ?? []}
  phoneVerified={sessionWithData.phoneVerified ?? false}
  emailVerified={sessionWithData.emailVerified ?? false}
  checkAfter={checkAfter === "true"}
  force={force === "true"}
></ChooseSecondFactorToSetup>

<ChooseSecondFactorToSetup
  userId={sessionWithData.factors?.user?.id}
  loginName={loginName}
  sessionId={sessionWithData.id}
  requestId={requestId}
  organization={organization}
  loginSettings={loginSettings}
  userMethods={sessionWithData.authMethods ?? []}
  phoneVerified={sessionWithData.phoneVerified ?? false}
  emailVerified={sessionWithData.emailVerified ?? false}
  checkAfter={checkAfter === "true"}
  force={force === "true"}
></ChooseSecondFactorToSetup>

<ChooseSecondFactorToSetup
  userId={sessionWithData.factors?.user?.id}
  loginName={loginName}
  sessionId={sessionWithData.id}
  requestId={requestId}
  organization={organization}
  loginSettings={loginSettings}
  userMethods={sessionWithData.authMethods ?? []}
  phoneVerified={sessionWithData.phoneVerified ?? false}
  emailVerified={sessionWithData.emailVerified ?? false}
  checkAfter={checkAfter === "true"}
  force={force === "true"}
></ChooseSecondFactorToSetup>

<ChooseSecondFactorToSetup
  userId={sessionWithData.factors?.user?.id}
  loginName={loginName}
  sessionId={sessionWithData.id}
  requestId={requestId}
  organization={organization}
  loginSettings={loginSettings}
  userMethods={sessionWithData.authMethods ?? []}
  phoneVerified={sessionWithData.phoneVerified ?? false}
  emailVerified={sessionWithData.emailVerified ?? false}
  checkAfter={checkAfter === "true"}
  force={force === "true"}
></ChooseSecondFactorToSetup>

My questions is:

Where does this force parameter in the URL originate?
Is it connected in any way to the “Force MFA for all users” setting in the admin panel?

Ask Inkeep•11/21/25, 12:14 PM

Hi @gloammer, I'm an AI assistant for ZITADEL. While a team member reviews this question, I'll see if I can find relevant sources for your question.

Ask Inkeep•11/21/25, 12:14 PM

Answer

---

I wasn't able to find a direct answer, here are some relevant sources:

Get Login Settings : This documents the forceMfaforceMfa boolean setting which determines if users are forced to use multi-factor authentication for login, and forceMfaLocalOnlyforceMfaLocalOnly which forces MFA only for local authentication.
Multi-Factor Authentication (MFA) in a Custom Login UI : This covers MFA registration and authentication flows, including TOTP, SMS, Email, and U2F methods.

The sources don't explicitly document where the forceforce URL parameter originates or its direct relationship to the "Force MFA for all users" admin panel setting. You might want to check the ZITADEL source code or reach out through official support channels for implementation-specific details about URL parameter generation.

**

Ask Inkeep•11/21/25, 12:14 PM

Feel free to tag @Ask Inkeep with additional questions.

AAsk Inkeep Empty message

Ask InkeepAPP•11/21/25, 12:15 PM

Got it. Tagging @Rajat for additional help.

Rajat•11/24/25, 11:11 AM

hey @gloammer thanks, I will take a look and will get back to you

Rajat•11/25/25, 1:24 PM

I think the setting here is when you toggle Force MFA for all usersForce MFA for all users on

gloammerOP•11/27/25, 8:06 AM

Hi, @Rajat !
Yes, but in this case the "Skip" button on the MFA setup step never appears.
That is, if the Force MFA for all usersForce MFA for all users setting is disabled, the user is not prompted to set up MFA at all, and if this same setting is enabled, then the step becomes mandatory with no option to skip it.
It seems like this is incorrect behavior.
We are using Admin Panel v4.2.0 and the latest version of the Login UI (self-hosted).

gloammerOP•12/3/25, 3:25 PM

@Rajat, hi, following up on this. Any updates?

Ggloammer <@1346540274674827395>, hi, following up on this. Any updates?

Rajat•12/4/25, 11:29 AM

the Skip button never appears regardless of the setting telle me that the force parameter isn't being properly derived from the login policy settings I believe. The parameter should dynamically reflect whether MFA is enforced based on your org login policy configuration, could you open a small bug for it. Also the screenshots of your Login settings so thatr we know.

gloammerOP•12/5/25, 10:00 AM

Okay, thanks
https://github.com/zitadel/zitadel/issues/11141

GitHub

[Bug]: Stage with MFA setup never appears if "Force MFA for all use...

Preflight Checklist I could not find a solution in the documentation, the existing issues or discussions I have joined the ZITADEL chat Environment Self-hosted Version v4.2.0 Database PostgreSQL Da...