Is the idea behind Email/SMS MFA that they are just delivery channels for the "code/OTP" MFA mechanism? If I want to allow a user to enable those channel, do I just need to have them enable "code" MFA through the selfservice APIs?

Code MFA is a system wide option, and whether Kratos uses SMS or Email depends on the address type. The other cannot disable the channel themselves

When you say a system wide option, you mean that there is no way for a user to "enable" code-based MFA at all? Is there another way to set up Email-based MFA that I'm missing or is the only option to use the code method? I ask because you can set up authenticator apps, which is similar (TOTP/code seem very similar to me).

Yes, that's correct. Unfortunately, no it's either turned on for all or not.

I guess our use case is that we have a reasonably non-sensitive authentication requirement, such that MFA is not typically required. But the CISO reviewing the project has asked that we allow users to set up MFA if they don't feel comfortable without it. Our users are non-technical so we would prefer to allow them to choose "legacy" MFA mechanisms that don't require an app or a device to authenticate with. We work in the health sector where these sort of requirements are common.