Does anyone have a working example of identity.sch...
# ory-selfhostingc
calm-farmer-87562
04/10/2025, 9:36 PMDoes anyone have a working example of identity.schema.json using email + password to log in, with optional SMS MFA enabled?
m
magnificent-energy-493
04/10/2025, 11:51 PM
hello @calm-farmer-87562
see this document: https://www.ory.sh/docs/kratos/mfa/mfa-via-sms#configuration
should work the same for latest version of Ory Kratos
c
calm-farmer-87562
04/11/2025, 2:02 PMOk, thanks for the help! A couple other weird configuration things I'm trying to achieve:
If a user signs up w/ just an email, no verification (this is handled elsewhere) or mfa
If a user adds a phone number, mfa is enforced.
Any idea what changes I might need to do that?
calm-farmer-87562
04/14/2025, 9:02 PMTook me a while, but figured out the issue - session/whoami needed to be changed to aal1 - the configuration docs made it look like that was the default level.
m
magnificent-energy-493
04/14/2025, 9:57 PM
hey @calm-farmer-87562 thanks for reporting your fix!
How can we improve the docs there?
add something to the
Findincodeand setselfservice.methodsto `true`:mfa_enabled
```identity-config.yaml
code:
mfa_enabled: true```part?
c
calm-farmer-87562
04/14/2025, 11:20 PMyeah - my problem was trying to figure out how NOT to force mfa after login, but only in special situations. the self-hosted and ory docs seem to diverge a bit
https://www.ory.sh/docs/kratos/self-hosted/mfa - doesn't have anything about dynamic mfa
https://www.ory.sh/docs/kratos/mfa/step-up-authentication - doesn't tell you what yaml config items you need to update
https://www.ory.sh/docs/kratos/reference/configuration makes it seem like the default value for
session_whoami_required_aal1calm-farmer-87562
04/14/2025, 11:21 PMI ended up piecing it together but took way longer than it should have 😄
3 Views