...
If a "passive/lazy" protection strategy is used, then your application is in control of the process of requesting a session. In this case, the application's redirect to the SP's session initiation endpoint must include an additional encoded query string parameter (authnContextClassRef=https%3%2f%2frefedshttps%3a%2f%2frefeds.org%2fprofile%2fmfa
).
Note that when this strategy is involved, applications have the opportunity for flexible "step-up" models in which users may be forced to elevate their authentication strength based on the actions they perform. While that is also possible with URL-based schemes, that can be difficult with many application frameworks because of the way URLs may be overloaded by them for different functions.
...