Ory currently supports Multi-Factor Authentication (MFA) via SMS and Time-based One-Time Passwords (TOTP), but there's no direct mention of MFA via email in the provided documentation. For MFA via SMS, you need to provide a custom SMS sender. Ory sends the code, the phone number, and other metadata to a webhook of your choice. You start a new MFA flow by creating a new login flow with the

aal

parameter set to

aal2

and specify which trait to use for delivering the code to the user. This trait should exist in the identity schema and you set the

via

parameter to its identifier. If you have a trait called

phone_number

, you'd set

via

to

phone_number

[source](https://www.ory.sh/docs/kratos/mfa/mfa-via-sms#integration). For TOTP, users generate these passwords with companion apps such as Google Authenticator or FreeOTP and enter them when asked to provide their second authentication factor. You can enable TOTP authentication in Ory Identities (Kratos) to allow users to perform 2FA with TOTP apps [source](https://www.ory.sh/docs/kratos/mfa/totp). However, if you want to implement MFA via email, you might need to customize your implementation or check if there are more recent updates in the Ory documentation that cover this use case.