Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

<@U010F2N7G2X> / <@U011D3UQKNY> I am using the self-hosted version of Ory. Until now, we have been using email/password as an AAL1 authentication method, with optional TOTP that users could choose to enable after signing up. If a user enabled AAL2, they were prompted to enter a 2FA code during their next login.

Now, we are planning to switch to passwordless authentication. However, it seems that with passwordless authentication, even if a user enabled TOTP during signup, they can log in without being prompted for TOTP.

can you please clarify that passwordless authentication does not require TOTP even though its set up by user ?