Based on the information provided in the knowledge sources, I can clarify the situation regarding passwordless authentication and TOTP in Ory Kratos (the self-hosted version of Ory Identities). You are correct in your observation. Passwordless authentication, such as WebAuthn/Passkeys, is considered a strong authentication method on its own and does not require an additional factor like TOTP, even if the user has set it up. According to the [Passkeys & WebAuthN documentation](https://www.ory.sh/docs/kratos/passwordless/passkeys#passkeys-with-the-webauthn-strategy), passwordless authentication via WebAuthn is designed to replace traditional password-based authentication. It uses the device's built-in capabilities for verifying the user's identity, which is considered secure enough on its own. The documentation states: "When you enable passwordless authentication with WebAuthn or Passkeys, it is not considered as a second authentication factor." This means that even if a user has set up TOTP, when they use passwordless authentication (like WebAuthn/Passkeys), they won't be prompted for the TOTP code during login. The passwordless method is considered sufficient for authentication. It's important to note that this behavior is by design and is based on the security model of passwordless authentication, which is intended to provide both convenience and security without the need for additional factors. If you require users to always use two factors, you might need to reconsider your authentication strategy or consult with Ory support for potential custom solutions that fit your specific security requirements.

@chilly-king-10285 I am using passwordless auth using email 6 digit code. I am not using Passkeys or WebAuthN. Based on this information, how does your answer change ?

Thank you for providing that additional information. My previous answer was indeed focused on WebAuthn/Passkeys, which is different from the email 6-digit code method you're using. Let me clarify based on your specific use case. For passwordless authentication using email 6-digit codes, the behavior is different from WebAuthn/Passkeys. Here's how it works: 1. One-time code via email is considered an AAL1 (Authentication Assurance Level 1) method, similar to password-based authentication. 2. If a user has set up TOTP (Time-based One-Time Password) as a second factor, they should still be prompted to enter the TOTP code after successfully authenticating with the email 6-digit code. This is because the email one-time code method is not considered as strong as WebAuthn/Passkeys. It falls under the "code" authentication method in Ory's terminology. According to the [Email and SMS one-time-code authentication documentation](https://www.ory.sh/docs/kratos/passwordless/one-time-code), this method is useful for minimal authentication processes but is not inherently multi-factor. If you've configured MFA (Multi-Factor Authentication) to require the highest available authentication level, users who have set up TOTP should be prompted for it after successfully using the email code. You can enforce this behavior by adjusting the configuration as described in the [Configure multi-factor authentication documentation](https://www.ory.sh/docs/kratos/self-hosted/mfa#enforce-mfa):

yaml selfservice:   flows:     settings:       required_aal: highest_available session:   whoami:     required_aal: highest_available

This configuration ensures that users are required to provide the highest level of authentication they have available, which would include TOTP if they've set it up. If you're not seeing this behavior, you may need to review your configuration or consult with Ory support to ensure it's set up correctly for your specific use case.

@chilly-king-10285 I have already defined

highest_available

for whoami and settings. Still its not asking me for TOTP. What might be the reasons ?

Based on the information you've provided and the knowledge sources available, there could be a few reasons why you're not being prompted for TOTP even though you've set

highest_available

for

whoami

and

settings

. Let's explore some potential causes: 1. TOTP Configuration: Make sure that TOTP is properly configured in your Ory Kratos instance. According to the [TOTP documentation](https://www.ory.sh/docs/kratos/mfa/totp), you need to enable TOTP in your configuration file:

yaml    selfservice:      methods:        totp:          config:            issuer: <http://ExampleIssuerForSelfHosted.com|ExampleIssuerForSelfHosted.com>          enabled: true

2. Identity Schema: Ensure that your identity schema is correctly set up to work with TOTP. As mentioned in the [Custom identity schema documentation](https://www.ory.sh/docs/kratos/mfa/totp#custom-identity-schema), you need to add a

totp

section to the identity schema:

json    {      "<http://ory.sh/kratos|ory.sh/kratos>": {        "credentials": {          "totp": {            "account_name": true          }        }      }    }

3. MFA Configuration: Double-check that MFA is properly enabled for the

code

method. As per the [SMS and Email 2FA documentation](https://www.ory.sh/docs/kratos/mfa/mfa-via-sms), ensure that

mfa_enabled

is set to

true

for the

code

method:

yaml    code:      mfa_enabled: true

4. Session Configuration: Make sure that your session configuration is correct. The [Step-up authentication documentation](https://www.ory.sh/docs/kratos/mfa/step-up-authentication) suggests checking these settings:

yaml    selfservice:      flows:        settings:          required_aal: highest_available    session:      whoami:        required_aal: highest_available

5. User Setup: Confirm that the user has actually set up TOTP for their account. If TOTP hasn't been configured for the user, they won't be prompted for it even if it's enabled system-wide. 6. Potential Bug: There's a possibility that you're encountering a bug. There have been issues reported related to MFA and passwordless authentication, such as the one described in this [GitHub issue](https://github.com/ory/network/issues/399). While this specific issue was about OIDC and MFA, it highlights that unexpected behaviors can occur with MFA configurations. If you've verified all these points and are still not being prompted for TOTP, I recommend reaching out to Ory support or opening an issue on the Ory Kratos GitHub repository. They may be able to provide more specific guidance based on your exact configuration and setup.