Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Is it possible to require users to register mfa and require an aal2 level when signing in?

Hello <@U077CEVA1PV>
not sure if the bot was able to help you, but I think this
```required_aal: highest_available  ```
 is the config you are looking for, you should be able to add it to any flow.

Yeah came across that setting but i need a way to require users to have at least aal2(any form of multi factor) is that possible?

yes, that is require aal2 for login right? let me check

But aal=aal2 or aal=aal3 can only be requested if there's already a session. I'm trying to require mfa for oidc

if you have whoami on highest_available and the user has MFA configured it should prompt them for MFA on login

Thanks! Is there also a way to require every user in your ory kratos project to register MFA?

In the middleware, check for the session’s AAL. If it is &lt; aal2  it is not an MFA session. If that is the case, redirect the user to your login endpoint with a request AAL:`/self-service/login/browser?aal=aal2`

Thanks for the suggestion. How would you do this for oidc setups?