When a new user resource is created, the mfaEnabled attribute that controls the user’s ability to use multi-factor authentication is set to false by default.

For existing users, you can use the GET /environments/{environmentId}/users/{userId}/mfaEnabled operation to check whether the specified user is enabled or disabled.