To implement a system where users must have MFA configured before accessing your app, you'll need to work with Ory's multi-factor authentication capabilities. Here's how you can approach this: ## Enforce MFA for Session Access First, configure your Ory Identities (Kratos) to require the highest available authentication level for sessions:

yaml session:   whoami:     required_aal: highest_available

This setting ensures that users who have configured a second factor must complete the second factor challenge before using your app [Ory Self-hosted MFA Configuration](https://www.ory.sh/docs/kratos/self-hosted/mfa). ## Enable MFA Methods Enable one or more MFA methods in your configuration. You can choose from: 1. TOTP (Time-based one-time passwords) with authenticator apps 2. WebAuthn/Passkeys for biometric or hardware key authentication 3. SMS-based one-time codes 4. Lookup secrets (recovery codes) For example, to enable TOTP:

yaml selfservice:   methods:     totp:       config:         issuer: <http://YourAppName.com|YourAppName.com>       enabled: true

## Redirect to MFA Setup After Registration To prompt users to set up MFA after registration, you can use Ory Actions with the "after registration" trigger. This allows you to run custom logic when a user successfully registers [Action Triggers](https://www.ory.sh/docs/kratos/hooks/configure-hooks#action-triggers). When a user completes registration, you can redirect them to a settings flow where they can set up their MFA method. You would need to: 1. Create an "after registration" hook 2. In your hook, redirect the user to the settings page with a focus on MFA setup ## Handle MFA Enforcement in Your UI In your application, you'll need to handle the case when a user tries to access protected resources without having completed MFA:

javascript sdk   .toSession()   .then(({ data: session }) => {     // User has completed all required authentication steps   })   .catch((error) => {     if (error.response?.status === 403 &&          error.response?.data.error?.id === "session_aal2_required") {       // Redirect to MFA setup or login with second factor       navigate("/login?aal=aal2", { replace: true });       return;     }   });

This code checks if the user needs to complete a second factor and redirects them accordingly [Custom UI Advanced Integration](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-advanced-integration#two-factor-authentication). ## Step-up Authentication For users who haven't configured MFA yet, you can use step-up authentication to prompt them to set it up:

/self-service/login/browser?aal=aal2

This endpoint will initiate a login flow that requires the second factor [Step-up Authentication](https://www.ory.sh/docs/kratos/mfa/step-up-authentication). ## Important Considerations 1. Be aware that WebAuthn has some limitations - it's browser-only and doesn't work with native mobile apps [WebAuthn Limitations](https://www.ory.sh/docs/kratos/mfa/webauthn-fido-yubikey#limitations). 2. For the best security, consider using TOTP or WebAuthn rather than SMS, as they provide stronger protection against certain attack vectors [Breached Password Detection](https://www.ory.sh/blog/breached-password-detection). 3. If you're using the "highest_available" setting, be aware of a potential issue where users without MFA configured might encounter errors. This was addressed in a recent fix, but make sure you're on the latest version [GitHub Issue #409](https://github.com/ory/network/issues/409). By implementing these steps, you can ensure that users must configure MFA before they can fully access your application.

To check the highest available Authenticator Assurance Level (AAL) for a given identity in Ory, you need to examine the authentication methods available to that identity. The AAL indicates how many authentication factors an identity has configured. There isn't a direct API endpoint that returns the "highest available AAL" as a single value, but you can determine this by: 1. Retrieving the identity's session information 2. Examining the credentials the identity has configured ## Checking via Session Information When you retrieve a session, you can see the current

authenticator_assurance_level

and the authentication methods used:

javascript // Get the current session sdk.toSession()   .then(({ data: session }) => {     console.log("Current AAL:", session.authenticator_assurance_level);     console.log("Authentication methods:", session.authentication_methods);   });

The session object contains information about the authentication methods used and the current AAL level (aal0, aal1, aal2, or aal3) [Kratos API Reference](https://www.ory.sh/docs/kratos/reference/api). ## Examining Available Credentials To determine what authentication methods are available to an identity (and thus what the highest possible AAL would be), you would need to: 1. Retrieve the identity information (requires admin privileges) 2. Check what credential types are configured If the identity has configured second-factor methods like TOTP, WebAuthn, or lookup secrets, then their highest available AAL would be aal2. ## Understanding AAL Values According to the documentation, authentication methods are classified into factors: | Authentication method | Factor | | --- | --- | |

password

| first | |

oidc

| first | |

totp

| second | |

webauthn

| second | |

lookup_secret

| second | - `aal1`: The user has only first authentication factor(s) configured - `aal2`: The user has both first and second authentication factor(s) configured Note that completing two first authentication factors (like password and OIDC) still only gives the user

aal1

[Ory MFA Overview](https://www.ory.sh/docs/kratos/mfa/overview#terminology). ## Handling MFA Requirements When you set

required_aal: highest_available

in your configuration, Ory will require users to authenticate with their highest available AAL. This means: - Users with only password will authenticate with aal1 - Users with password + TOTP will need to authenticate with aal2 This is particularly useful for enforcing MFA when available while not blocking users who haven't set it up yet [Ory Step-up Authentication](https://www.ory.sh/docs/kratos/mfa/step-up-authentication). If you're experiencing issues with the

highest_available

setting, be aware there was a bug (now fixed) where users without MFA configured would encounter errors when trying to access settings [GitHub Issue #409](https://github.com/ory/network/issues/409).