How to enforce 2FA for some roles and make it optional for the others

We want to enforce 2FA for one or more user-roles. However it must be optional for any other user.
Currently my best attempt is this:

Any attempt has run in either of these issues so far:

  • if several conditional flows are siblings, they are all executed and a user might be prompted twice if the role matches and he has a key configured
  • if conditional is placed inside alternative flows, then if fails if a user has a different role - while users without any role work.
  • 2 conditions in 1 conditional flow means both have to match

How is it possible to have a flow be both alternative AND conditional at the same time, and provide a do-nothing fallthrough?

edit: is it possible that “Condition - User Configured” does not work with WebAuthn?

I was trying the same the last few hours with OTP (instead of WebAuthn) and I am running into the same issues - interestingly I was trying a more or less exact same authentication flow at the end.

I also have the feeling from my tests that your last alternative flow “None” will never “succeed” but I am not aware of any “execution” step doing nothing but succeed or just breakout the flow.

It would also help me to get a documentation (besides the mouse over feature) to explain all possible “executions” in some more detail. Can anyone help here?