Authentication Policies
Authenticator policies are mechanisms to specify what authenticators are allowed for enrolment, and implicitly for authentication. By setting the allowed state for each authenticator, the policy completely defines which can be used and which cannot.
If users should enrol different types of authenticators, this can be controlled through policies attached to group membership. Define a Custom Policy which specifies which authenticators are allowed to be enrolled, then create a Custom Group and select the desired policy to be applied to it whenever a user of that group enrols. If the user is part of multiple groups with different policies, then the policies are aggregated to allow the union of all allowed authenticators. If the user is not part of any group with policy, then the Global Authentication Policy is applied.
More information on how to use policies can be found here Policy Mechanism