To enable registration using both password and passwordless methods in Ory, you need to configure each method separately. Here's how to do it: ## Password Authentication 1. Enable password authentication in your configuration:

yaml selfservice:   methods:     password:       enabled: true

You can do this via: - The Ory Console UI: Go to Authentication → Registration and toggle Enable Password Authentication - The Ory CLI:

ory patch identity-config "$PROJECT_ID" \   --replace '/selfservice/methods/password/enabled=true'

[Login and registration using passwords](https://www.ory.sh/docs/kratos/concepts/credentials/username-email-password) ## Passwordless Authentication You have several options for passwordless authentication: ### 1. WebAuthn/Passkeys

yaml selfservice:   methods:     passkey:       enabled: true       config:         rp:           display_name: "Your Application name"

You can enable this in the [Ory Console](https://console.ory.sh/projects/current/passwordless) under Authentication → Passwordless login by toggling the switch for Enable Passkey authentication. [Passkeys with the dedicated passkey strategy](https://www.ory.sh/docs/kratos/passwordless/passkeys#passkeys-with-the-dedicated-passkey-strategy) ### 2. One-Time Code via Email or SMS

yaml selfservice:   methods:     code:       passwordless_enabled: true

You can enable this in the [Ory Console](https://console.ory.sh/projects/current/passwordless) under Authentication → Passwordless login. [Email and SMS one-time-code authentication](https://www.ory.sh/docs/kratos/passwordless/one-time-code) ### 3. Legacy WebAuthn (for backward compatibility)

yaml selfservice:   methods:     webauthn:       enabled: true       config:         passwordless: true         rp:           display_name: "Ory"

You can enable this in the [Ory Console](https://console.ory.sh/projects/current/passwordless) under Authentication → Passwordless login. [WebAuthn Configuration](https://www.ory.sh/docs/kratos/passwordless/passkeys#configuration-2) ## Identity Schema Configuration For custom identity schemas, make sure to mark the appropriate fields for each authentication method. For example, for password authentication:

json {   "type": "string",   "format": "email",   "<http://ory.sh/kratos|ory.sh/kratos>": {     "credentials": {       "password": {         "identifier": true       }     }   } }

For passkeys, define which field is the display name:

json {   "type": "string",   "format": "email",   "<http://ory.sh/kratos|ory.sh/kratos>": {     "credentials": {       "passkey": {         "display_name": true       }     }   } }

After configuring these settings, both password and passwordless methods will be available during registration.

I'll explain how to configure the registration flow in Ory to support both password and one-time code via email methods. ## Enable Both Authentication Methods First, you need to enable both the password and code methods in your configuration:

yaml selfservice:   methods:     password:       enabled: true     code:       enabled: true       passwordless_enabled: true

You can configure this through: - Ory Console UI: Go to Authentication → Registration to enable password authentication, and Authentication → Passwordless login to enable one-time code - Ory CLI:

ory patch identity-config <your-project-id> \ --add '/selfservice/methods/password/enabled=true' \ --add '/selfservice/methods/code/passwordless_enabled=true'

[Registration](https://www.ory.sh/docs/kratos/self-service/flows/user-registration) | [Email and SMS one-time-code authentication](https://www.ory.sh/docs/kratos/passwordless/one-time-code) ## Configure Identity Schema Ensure your identity schema properly marks the email field for both authentication methods:

json {   "type": "string",   "format": "email",   "title": "E-Mail",   "<http://ory.sh/kratos|ory.sh/kratos>": {     "credentials": {       "password": {         "identifier": true       },       "code": {         "identifier": true,         "via": "email"       }     },     "verification": {       "via": "email"     }   } }

This configuration marks the email field as the identifier for both password authentication and one-time code via email. [Custom identity schema](https://www.ory.sh/docs/kratos/passwordless/one-time-code#custom-identity-schema) ## Registration Flow Options You can choose between: 1. Legacy one-step registration: Shows all authentication methods at once 2. Two-step registration: First collects identity traits, then asks for authentication method To use the more streamlined two-step registration:

ory patch project --project <project-id> --workspace <workspace-id> \   --replace '/services/identity/config/selfservice/flows/registration/enable_legacy_one_step=false'

Or disable it in the Ory Console under Authentication → Registration by switching off Enable legacy one-step registration. [Two-step registration](https://www.ory.sh/docs/identities/sign-in/two-step-registration) ## Email Template Customization For the one-time code method, you'll need to ensure email delivery is properly configured. You can customize the email templates to match your brand: - For registration via one-time code, the system uses the

registration_code.valid

template - For login via one-time code, the system uses the

login_code.valid

template [Email templates](https://www.ory.sh/docs/kratos/emails-sms/custom-email-templates) ## Auto Sign-in After Registration To enable automatic sign-in after registration with one-time code:

yaml selfservice:   flows:     registration:       after:         password:           hooks:             - hook: session         code:           hooks:             - hook: session

This ensures users are automatically logged in after completing registration with either method. Make sure you have a reliable email delivery provider configured for the one-time codes to be delivered properly. Consider setting up your own [SMTP provider](https://www.ory.sh/docs/kratos/emails-sms/sending-emails-smtp) for better control over email delivery.

I can see the issue you're experiencing with different registration form behaviors between your Ory Cloud and local environments. This difference is likely due to the registration flow configuration, specifically related to the "one-step" versus "two-step" registration setting. ## The Difference Between Your Environments In your Ory Cloud environment, you're seeing two separate forms (one for passwordless code via email and one for password), while locally you're seeing a single form. This suggests that: - Your Ory Cloud project likely has the legacy one-step registration enabled - Your local environment is using the newer two-step registration flow (or has a different configuration) ## How to Fix This To make your local environment match your Ory Cloud setup (showing two forms), you need to enable the legacy one-step registration: ### Using Ory CLI

ory patch project --project <project-id> --workspace <workspace-id> \   --replace '/services/identity/config/selfservice/flows/registration/enable_legacy_one_step=true'

### In Your Local Configuration File Add this to your local Kratos configuration:

yaml selfservice:   flows:     registration:       enable_legacy_one_step: true

## Understanding the Two Registration Approaches The difference you're seeing is explained in the [Two-step registration](https://www.ory.sh/docs/identities/sign-in/two-step-registration) documentation: > With a one-step registration, when you enable multiple authentication strategies (for example password, code via email, and passkey), the identity traits will be repeated for each authentication strategy. > > Compare this to a two-step registration: Now, the user is prompted for the identity traits in the first step, and asked to choose a credential method for authentication next. This results in a more stream-lined user experience. ## Checking Your Current Configuration To verify your Ory Cloud configuration:

ory get identity-config --project <project-id> --workspace <workspace-id> --format yaml

Look for the

selfservice.flows.registration.enable_legacy_one_step

setting. ## Using Ory Tunnel for Local Development If you're using Ory Tunnel for local development, make sure you're running it correctly:

npx @ory/cli tunnel --dev <http://localhost:3000>

This will expose Ory APIs on

<http://localhost:4000>

and ensure cookies work properly for your local application. [Run Ory APIs on localhost](https://www.ory.sh/docs/getting-started/integrate-auth/react#run-ory-apis-on-localhost) Both identity schemas look correct for supporting both password and code authentication methods. The difference in behavior is likely just the registration flow configuration setting.