Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

The `aal` is a property of the sessions. In your app, when you resolve the session `.toSession()` , you can check if MFA has been applied and navigate the user accordingly. You could also consider <https://www.ory.sh/docs/kratos/session-management/session-lifespan#privileged-sessions|privileged sessions> for sensitive actions.

Thanks, this clears things up knowing that aal is attached to the session. I’m thinking that after the second factor is passed, that I could set a token in a cookie and use that as verification that the second factor has been passed for a given device. Is there any flaws with this approach? You guys are the security experts and though I’ve read a few books on it, I always welcome a second opinion.

Yes. You could <https://www.ory.sh/docs/kratos/session-management/refresh-extend-sessions#refreshing-sessions-as-administrator|extend sessions> of ‘trusted devices’. Or force a refresh on all other devices.