Navigate to ADMINISTRATION | Users | Permission Sets
Click the New button
Enter the Lebel and API Name
Click Save to create this new permission set
Click the newly created permission set, e.g. SafeID Token Service
Scroll down to the System section
Click the System Permissions link
Click the Edit button
Scroll down until you see the option "Manage Multi-Factor Authentication in API"
Enable the option "Manage Multi-Factor Authentication in API" and "Manage Multi-Factor Authentication in User Interface"
Scroll up to the top
Click the "Save" button to save the settings.