Hello, I am implementing MFA, specifically TOTP. TOTP should be mandatory, so right after registration (I use OIDC with Google as the provider ) a user should be prompted to add Google authenticator and on each sign-in they should type the code from the Google Authenticator app. I have set:

methods:
    totp:
      enabled: true
      config:
        issuer: Ory Demo

session:
  whoami:
    required_aal: highest_available

But now, users can normally sign-in/sign-up via OIDC and are never prompted to link the TOTP app. Why is TOTP not enabled? Based on the information in the docs, it should be enabled by now.

We're also struggling with this exact same hurdle. How do you restrict access for a user if they haven't setup

f2a

? It doesn't seem logical to do this on the front-end, right?

ory.frontend
      .createBrowserLoginFlow({
        refresh: Boolean(refresh),
        aal: aal ? String(aal) : undefined,
        returnTo: returnTo ? String(returnTo) : undefined,
      })

Hey @stale-queen-97584 So, you are suggesting to check if the user has the required aal level on each request. So I would need a wrapper on top Kratos's of /sessions/whoami on my backend. Did I understand you correctly?

Well, obviously I don't know what you're using it for, but the idea doesn't seem to be that you can't login without f2a, but that you can't access whatever source you want to share without the f2a

Yeah, that seems correct. So we would allow a user to log in without 2fa, but to access any endpoint, we would require to have a session with completed 2fa (totp)

@lemon-apartment-14887 hola. I believe there is another step to account for. So you can actually configure Kratos to demand 2fa for the

whoami

and

settings

page. It's the same concept - the API checks whether the user needs 2fa. This results in the

whoami

giving a 403 when the user isn't authenticated with 2fa