...
It's a classic risk/cost balance. The right answer is depends on tolerance for risk (in terms of less-secure authentication, as well as loss of the authentication service itself) and what price you're willing to pay.
those applications that must remain protected (HIPPA, FISMA Moderate, in their opinion) remain protected during an incident. However, the much larger (generally speaking) user base of self service and less secure application can continue to operate in an event. This provides a middle of the road solution to protect theat that which “must” be protected and allow those with lower risk profiles to continue to operate.
...
In this case the IdP uses local criteria (not based on specific requests from the SP) to decide whether to authenticate the user using MFA (e.g., flags on the user object in the IDM system). Typically in this case the IdP does not communicate the fact of MFA to the SP, instead indicating simply success of a "Password Protected Transport" login. Some mechanisms for allowing "fail-open" behavior are described in the preceeding preceding sections ("Bypassing Duo")
...