diff --git a/idp/dex/provider.go b/idp/dex/provider.go
index 9f8f4ec90..a3e33dce2 100644
--- a/idp/dex/provider.go
+++ b/idp/dex/provider.go
@@ -286,6 +286,7 @@ func ensureStaticClients(ctx context.Context, stor storage.Storage, clients []st
 			old.Name = client.Name
 			old.Public = client.Public
 			old.PostLogoutRedirectURIs = client.PostLogoutRedirectURIs
+			old.MFAChain = client.MFAChain
 			return old, nil
 		}); err != nil {
 			return fmt.Errorf("failed to update client %s: %w", client.ID, err)
diff --git a/management/server/idp/embedded.go b/management/server/idp/embedded.go
index 0a3c9ece0..f19af0a1d 100644
--- a/management/server/idp/embedded.go
+++ b/management/server/idp/embedded.go
@@ -203,6 +203,10 @@ func (c *EmbeddedIdPConfig) ToYAMLConfig() (*dex.YAMLConfig, error) {
 		}
 		// Absolutely required, otherwsise the dex server will omit the MFA configuration entirely
 		os.Setenv("DEX_SESSIONS_ENABLED", "true")
+
+		for i := range cfg.StaticClients {
+			cfg.StaticClients[i].MFAChain = []string{"default-totp"}
+		}
 	}
 
 	// Add owner user if provided