Yes, you can require users to set up Multi-Factor Authentication (MFA) in Ory. This can be done by adjusting the configuration file of your self-hosted Ory instance. In the configuration file, you can set the

required_aal

(Authenticator Assurance Level) under

selfservice.flows.settings

to

highest_available

. This forces users to provide the highest authentication factor to access their account settings. For example, users without a second factor configured can access the settings after they sign in with their password. Users that have a second factor set up (such as a TOTP app) will must complete the second factor challenge to access account settings. Here is an example of how to set it up in the configuration file:

yaml # ...   selfservice:     flows:       settings:         required_aal: highest_available   # ...   session:     whoami:       required_aal: aal1   # ...

If you want all users that configured a second factor to complete the factor before using your app, set

session.whoami.required_aal

to

highest_available

. Please note that after MFA has been enabled for the Ory Network project, each user is responsible for enabling MFA in their own account by pairing their account with a MFA app. In the Ory Account Experience, users are not automatically prompted to enable MFA for their accounts. To enable MFA, users must sign in to their accounts and go to the Authenticator App section of the Account Settings page. For more details, please refer to the [Ory documentation](https://www.ory.sh/docs/kratos/self-hosted/mfa#enforce-mfa).

Yes, it is possible to require at least

aal2

(Authenticator Assurance Level 2) for certain operations or endpoints in your application. This can be done by setting the

required_aal

parameter in the configuration file of your self-hosted Ory instance. For example, if you want all users that configured a second factor to complete the factor before using your app, you can set

session.whoami.required_aal

to

aal2

or

highest_available

in the configuration file:

yaml # ...   session:     whoami:       required_aal: aal2   # ...

This configuration will require users to complete the second authentication factor before they can use your application. In addition, you can also initiate a new login flow with the

aal

parameter set to

aal2

to make users complete a second authentication factor in their current session for accessing sensitive functions in your application, such as payment details or private content. For more details, please refer to the [Ory documentation](https://www.ory.sh/docs/kratos/self-hosted/mfa#enforce-mfa).

I apologize for the confusion. You're correct. According to the [Ory documentation](https://www.ory.sh/docs/kratos/self-hosted/mfa#enforce-mfa), the

session.whoami.required_aal

can only be set to

aal1

. However, you can still enforce a higher level of authentication (such as MFA) for certain operations by setting the

required_aal

under

selfservice.flows.settings

to

highest_available

. This will require users to provide the highest authentication factor to access their account settings. Here's how you can set it in the configuration file:

yaml # ...   selfservice:     flows:       settings:         required_aal: highest_available   # ...

This configuration forces users to provide the highest authentication factor to access their account settings. For example, users without a second factor configured can access the settings after they sign in with their password. Users that have a second factor set up (such as a TOTP app) will must complete the second factor challenge to access account settings. I hope this helps! If you have any other questions, feel free to ask.