If an SP does not explicitly specify a RequestedAuthnContext, then a default can be identified in relying party configuration. If that default is for MFAContext, then that would have the same effect as the SP requesting MFAContext. See Configuring the IdP for the Multi-Context Broker Model in Shibboleth IdPv3 for more information.

Second factor only technologies like U2F and Duo are not full-fledged Authentication Methods, as described in this document. The MCB Model, and IdPv3, consider an Authentication Method as something that tells you who the current user is. Second factor only technologies do not do this; you tell them who you think the current user is, and they tell you if they agree with that (increasing your confidence in who the current user is).

For this reason, the user must have been authenticated with a first factor before a second factor method can succeed. For now, this requires configuration of an initial authentication method, as described in Configuring the IdP for the Multi-Context Broker Model in Shibboleth IdPv3 and/or custom authentication flow scripting. The Shibboleth community, however, is working to enhance IdPv3's ability to accommodate second factor only technologies.