Auth end user mfa not implemented

End-user Multi-Factor Authentication (MFA) is not implemented or enforced for application users. This makes user accounts highly vulnerable to takeover if their primary credentials (e.g., password) are compromised via phishing, data breaches, or credential stuffing.