We experienced a spear phishing attack where the user routinely approved an MFA challenge for an attacker signing in outside of the country via the Authenticator Approve/Deny challenge.

If there were an option to require a one-time passcode on a non-company device when outside of the country, this attack would have failed. Or the new passwordless "match the pin on the screen" logon option would have also failed the attack.

I would like to suggest being able to select the MFA challenge type as an option when creating a new conditional access policy.