Two Factor Authentication in short, 2FA, is enabled by default for all users as per our logic considering a user's activity as per the parameters IP, User Agent and Location as risky. If someone usually logs in London and then - all of a sudden in another city or with another IP or location shortly after, the user will be asked for 2FA via SMS.
If the users activity is not considered risky, s/he wont be asked for the 2FA. We generally recommend to use unique passwords everywhere and also to make them as long as possible.
In addition, we inform based on risky logins with: