hello, is it possible to use ory 2FA not only for authenticating the user on login, but also later (while the user is already logged in) to confirm certain operations?

you can make your own API behave in a similar way to what Kratos does. You can inspect the session to check when it was authenticated, and if the session is too old throw an error

Thank you, I am not sure if refreshing an old session will cut it here - imagine a use-case, where each withdrawal from an account requires 2fa (actually, it is an existing requirement for the banks in the EU). In case of subsequent withdrawal operations, session is seconds old, and still a new 2fa flow is required.

What 2fa method are you using? TOTP for example usually only updates every 30 seconds, not much benefit requiring re-auth if the code hasn’t changed. If what you actually want is a unique verification per transaction then you might be better using something like Twilio Verify, as their codes can only be used once

similar to what michael said about session age, you can also inspect the session to see what type of credential (2fa) was used, and when so you can require 2fa for certain api endpoints by allowing only sessions that had 2fa authentication in the last e.g. 10s if the session does not satisfy whatever conditions you come up with, you can always redirect the user to the login screen see also this docs page: https://www.ory.sh/docs/kratos/mfa/step-up-authentication#trigger-dynamic-multi-factor-authentication