@chilly-king-10285 Can we combine sign-in email password with a code send via email?

Yes, Ory Kratos supports a combination of sign-in methods. You can use the

password

method for login and registration with email or/and username and password. Additionally, you can use the

code

method which implements a one-time-password sent to the user via their recovery addresses (Email, SMS, etc.). When you enable the one-time code method, the login flow will need to send out an email to users signing in through the one-time code method. The system will then use the

login_code.valid

template to send the login code to the user. For more details, you can refer to the following documentation: - [Self-service flows](https://www.ory.sh/docs/kratos/self-service) - [Passwordless authentication with one-time code](https://www.ory.sh/docs/kratos/passwordless/one-time-code)

The

/sessions/whoami

endpoint in Ory Kratos is used to check if a user is signed in and has an active session. It does not provide information about whether a user has completed a code via email. When you make a request to the

/sessions/whoami

endpoint with a valid session token or session cookie, the system will return a

200 OK

response and the session payload if the user has an active session. If the user doesn't have an active session, the system returns a

401 Unauthorized

response. Here is an example of how to check for an active session with an Ory Session Token:

bash curl -H "Authorization: Bearer {your-session-token}" \ "https://{project.slug}.<http://projects.oryapis.com/sessions/whoami|projects.oryapis.com/sessions/whoami>"

And here is an example of how to check for an active session with an Ory Session Cookie:

bash curl -H "Cookie: ory_session_...=..." \ "https://{project.slug}.<http://projects.oryapis.com/sessions/whoami|projects.oryapis.com/sessions/whoami>"

Please note that the

{your-session-token}

and

{project.slug}

should be replaced with your actual session token and project slug. For more details, you can refer to the following documentation: - [Check session status](https://www.ory.sh/docs/identities/sign-in/check-session-token-cookie-api) - [Integration basics - Session Checks](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#session-checks)

Yes, you can configure Ory Kratos to trigger different actions based on the authentication method used. For example, you can set it up to trigger a specific action when a user signs in with a password (email/password combination), and a different action when a user signs in using OIDC. Here are the authentication methods you can customize: - `password`: Sign-in and sign-up with username/email and password combo. - `oidc`: Sign-in and sign-up through OIDC-compliant OAuth2 identity providers. - `totp`: MFA Sign-in with a TOTP code from apps such as Google Authenticator. - `webauthn`: MFA Sign-in with WebAuthn-compatible factors (FaceID, YubiKey) or passwordless sign-up and sign-in. - `lookup_secret`: MFA Sign-in with recovery codes. You can use Ory Actions to customize the behavior of the system based on these authentication methods. For example, when a user signs in with a password, you can use Ory Actions to send a welcome email to the user or update user information in your database. When a user signs in using OIDC, you can use Ory Actions to enrich your CRM with data from the social sign-in provider. For more details, you can refer to the following documentation: - [Triggers based on authentication methods](https://www.ory.sh/docs/kratos/hooks/configure-hooks#triggers-based-on-authentication-methods)

Ory Hydra itself does not directly support 2FA (Two-Factor Authentication) as it is an OAuth 2.0 and OpenID Connect provider, and these protocols do not specify anything about authentication, which includes 2FA. However, 2FA can be implemented in the application that integrates with Ory Hydra. This is typically done in the Identity Provider (IdP) that you use in conjunction with Ory Hydra. The IdP is responsible for managing user identities and performing user authentication, which can include 2FA. For example, if you use Ory Kratos as your IdP, you can configure it to use 2FA. Ory Kratos supports multiple second-factor authentication methods such as Time-based one-time password (TOTP), WebAuthn, and Lookup Secrets. For more details, you can refer to the following documentation: - [Ory Kratos 2FA documentation](https://www.ory.sh/docs/kratos/mfa/overview#available-methods) - [Ory Hydra documentation](https://www.ory.sh/hydra/docs/)