They're just forcing 2FA on accounts that meet some kind of threshold of "suspicious" behaviour. There's likely a lot of metrics being used to identify that.