This doesn't come up terribly often but it should be easy to build: there's currently no way to get a list of users with no MFA configured. The use case for this is:

• An administrator wants to enable security.require-multi-factor-auth to require MFA for all users.
• They send out an email to everyone like "hey, go configure MFA before you're forced to, this is fair warning, don't complain to me when it happens".
• ha ha ha of course no users do that
• So now the administrators wants a list of people they need to go harass in person so they can say "I warned everyone three times and came by your desk and looked you in the eyes and you promised you'd do this for me but you didn't so please please please don't complain".
• Then they enable security.require-multi-factor-auth.
• Then everyone complains that they weren't warned and their lives are ruined.

There's currently no way to get the list of people to harass. It would probably be nice to have a bin/auth approach (for CLI/script access) and a web approach (primarily for Phacility SAAS).

I think we can safely add this to People as a normal query. A potential problem with this is that it allows an attacker to target accounts with no MFA (by running this same query to find "weak" accounts, then focusing their attacks on those accounts). This is probably fine, but making this constraint admin-only might be desirable/reasonable?

(Also I think this came up once in the past and I wrote some kind of script or something, maybe? So I might just need to dig that up or perhaps I'm forgetting about something I already wrote.)