Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Hello, we are trying to understand the MFA flow for Kratos. The way we have it set up now, we must make a minimum of 4 requests:

1. Get login flow aal1
2. Login call with password method (aal1)
3. Get login flow aal2
4. Login call with aal2
It doesn't seem like there is a way to force kratos to require the MFA steps without manually creating a new flow. Is this intentional or is there a hook or setting in kratos config that should allow enforcing MFA