Currently, there's no Workplace level setting that allows you to force all your users to enable MFA on their accounts. That said, it's still possible to achieve this functionality by using SAML SSO, which is available on all our Doppler plans.
Under SSO, you're able to make logging into Doppler easier for you're users, but you're also able to enforce MFA at the IdP level (e.g., by enabling that requirement in Okta or Google). This means that when a user needs to login to their account from a scratch, they're forced through your SSO login flow which then requires MFA, which in turn protects your Doppler login.
Limiting User Access
In most IdPs you first create the SAML SSO application that performs the login, but by default none of your users will have access to it. You then have to assign that application to users either individually or via groups designated in your IdP. This can then be used to control which of your users have access to your Doppler workplace (e.g., you may want your developers to have access, but not your sales team).
Limited Access By Default
For Team and Enterprise plans, even if a user who wasn't supposed to was able to login via a SAML SSO application, they won't have access to your projects by default (you can get more information on access permissions in our Project Permissions and User Groups docs).
Note that if you're on a Developer plan, all users are assigned as Owners and will have access to all projects.