Roles assumed without mfa poses a security threat and impacts the authentication security principle, and is against the defense in depth principle..
In AWS Console -
In Terraform -
References:
https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-edit.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy