Seems like email MFA is pretty standard in lots of auth setups so I was kinda surprised when I couldn’t find a way to implement it with Ory.

Hi Spencer, might this be what you are looking for? https://changelog.ory.sh/announcements/sign-in-with-code-email-otp

Maybe, that looks like it specific to just passwordless sign on, can it be used along with regular password sign in order to elevate the session to aal2?

I see. That combination is not recommended as it would defeat the purpose of the 2FA. • Attacker obtains access to the email account of the user • Attacker initiates a password reset and obtains access to the application account • Wants to perform critical transaction, 2FA is triggered and the OTP is sent to the email account of the user (which the attacker has access to) • 2FA challenge is defeated by the attacker The 2FA should be a mechanism to protect the user account in case the first factor is breached. If you use email+password, the second factor should should not rely on email as well. How about one of these MFA methods. To design robust security, consider combining of these: • Something you know (password, security question, email password) • Something you are (face id, fingerprint id) • Something you have (yubikey, recovery codes, smartphone)

Sorry for the late reply. I think have email MFA is kind of like 1/2 a second factor, and doesn’t completely defeat the purpose. • If the user’s email is compromised, yes, they’re screwed if they rely on that as a second factor, for the exact reasons you outlined. • However, there is a situation where the user’s password could be compromised without their email being the reason why. Maybe they used the same password on another account and that app had a security breach. In this situation, email MFA still provides some added level of security, even if it’s less than the security of proper MFA with a totp app, security key, etc I agree that email and phone mfa is less secure, but a totp app is still something the user has to opt in for, and I would still like to have some base level of MFA required for users that don’t opt for the more secure route.