When an admin uses the "Log in as" function to impersonate a user, Moodle's Multi-factor Authentication (tool_mfa) plugin treats the session as a real login. It sends an SMS code to the user's mobile device. This creates confusion, concern, and violates user expectations.

Client Impact:
A client planning an MFA rollout has flagged this as a critical issue. Their team relies on "Log in as" for daily support and cannot risk unintentionally triggering SMS messages to thousands of users.

Expected Behavior:
"Log in as" should not trigger multifactor authentication (MFA) factors, such as SMS. At the very least, this should be configurable.

Proposed Solution:
Either (a) exclude impersonation sessions from MFA triggers, or (b) add a setting to control this behavior.