Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Hi - there are 2 Kratos issues around SMS based 2FA auth that I’m fairly certain makes SMS 2FA unusable for most production settings (including us):

• <https://github.com/ory/kratos/issues/3801|highest_available AAL does not work with SMS based 2FA>
• <https://github.com/ory/kratos/issues/3802|Kratos generates broken redirects to AAL2 login flows if identity has both SMS and another 2FA method>
I was wondering if there is anything I can do to help resolve these issues? They aren’t really simple bug fixes - they need some thought on how to approach things and that’s probably best led by Ory. We are really interested in seeing SMS based 2FA working