Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Hello everyone, I have a question about the intended behaviour of code based 2FA. It seems as though the mfa_enabled flag in the Kratos configuration forces all users to a highest available aal of 2, without checking for a verified / verifiable address or being enabled by the individual user. Is this intentional? The reason I ask is I would like to be able to configure code based 2FA per user, the same way that users can configure totp based 2FA. This flag makes the assumption that every single user will have an address that can be used for code based 2FA, and that I want it automatically required for all users. What about a case where email is an optional field in the schema, and I want users who add their email to have the option to verify that address and use it for 2FA? I don't follow why this is a global configuration, rather than optionally enabled in a settings flow, like totp. Thanks!