To configure Email Multi-Factor Authentication (MFA) in Ory, you need to follow these steps: 1. Enable MFA via code in your Ory Identities configuration:

yaml selfservice:   methods:     code:       mfa_enabled: true

2. Ensure your Identity Schema correctly marks the email trait as the identifier for the

code

method:

json {   "properties": {     "traits": {       "properties": {         "email": {           "type": "string",           "format": "email",           "<http://ory.sh/kratos|ory.sh/kratos>": {             "credentials": {               "code": {                 "identifier": true,                 "via": "email"               }             }           }         }       }     }   } }

3. Configure an email delivery provider to ensure reliable delivery of one-time codes. It's recommended to set up your own SMTP provider for full control over the email delivery process. 4. To initiate an MFA flow for an existing session, create a new login flow with the

aal

parameter set to `aal2`:

https://<your-custom-domain-or-project-slug>/self-service/login/browser?aal=aal2

For more detailed information on configuring MFA, you can refer to the [SMS and Email 2FA documentation](https://www.ory.sh/docs/kratos/mfa/mfa-via-sms). Note that while email MFA is supported, it's important to be aware that email-based authentication methods can have security limitations. For enhanced security, consider using more robust MFA methods like [TOTP](https://www.ory.sh/docs/kratos/mfa/totp) or [FIDO2/WebAuthn](https://www.ory.sh/docs/kratos/mfa/webauthn-fido-yubikey).