...
You can mark a flow as requiring authentication with either the authenticated boolean flag or with authenticatedPredicatewith an authenticatedPredicate on its descriptor bean.
Note that you can configure a different set of authentication flows for administrative access than for ordinary user access. Each profile can rely on a different set of login flows by setting the authenticationFlows property, although when the MFA flow is involved, this isn't as clear-cut and is usually unnecessary.
More commonly, you can use the defaultAuthenticationMethods property to indirectly influence which flows are used and how they're used by specifying a required custom Principal that the resulting authentication process must satisfy; this is the same mechanism used to attach similar requirements to services that can't request this for themselves using relying party overrides.
...
By default administrative flows are considered to be "browser-supporting". What that means in practice is nothing, unless you turn authentication on. Then it matters for determining whether to behave in ways that would be expected to break a non-browser client. For example, a simple script could should not need to navigate a login form, though it could supply basic-auth credentials. So if you turn authentication for a feature on, but you want to use only authentication features that work with a non-browser client, you would need to set the nonBrowserSupported flow descriptor property to signal this. Or you could even perform user-agent testing on the fly to set this by plugging in a condition script via nonBrowserSupportedPredicate.
...