Hey, I have a usecase where I want to allow organizations to enforce 2fa per org scope. Is this possible in ory Kratos - if yes, how do we approach it? If not, is there a clever workaround?

Hello @silly-belgium-72317 are you already using the Organizations feature? How exactly do you want to enforce MFA? On every login, for all organizations? Or just in some cases, for some of your customers? There is no one-click button to enforce MFA for Organizations, but you can use our "step-up auth" feature for it: https://www.ory.sh/docs/kratos/mfa/step-up-authentication So when a user logs in you would check in your frontend what org is associated with the identity and if that is on the list of orgs that need MFA enforced, you force a step-up authentication for that user

Hey @magnificent-energy-493

are you already using the Organizations feature?

No, not yet

On every login, for all organizations? Or just in some cases, for some of your customers?

Just for some of my customers.

There is no one-click button to enforce MFA for Organizations

This one I'm aware of, but as you pointed out I'm more interested in a solution where I enforce it for some of my customers \

you can always check the aal in the session, and if applicable redirect the user to the mfa login so in the layer where you check the session, you can add any kind of logic (e.g. based on the email domain or organization ID) and enforce mfa that way that's basically what vincent described as well, just framed differently