To see the QR code when enabling TOTP (Time-based One-Time Password) in Ory Kratos, you need to go through the TOTP pairing process in the user interface. After TOTP is enabled in your project (via the Ory Console or configuration), each user must enable TOTP for their own account by pairing it with a TOTP app. In the Ory Account Experience, users do this by signing in and navigating to the Authenticator App section of the Account Settings page. There, the UI will display a QR code that can be scanned with an authenticator app like Google Authenticator or FreeOTP. This QR code contains the secret needed to set up TOTP in the app. If the user cannot scan the QR code, the secret is also shown in text form for manual entry [Time-based one-time passwords (TOTP)](https://www.ory.sh/docs/kratos/mfa/totp). The QR code is presented as part of the TOTP setup flow in the UI. If you are building a custom UI or integrating with the API, the QR code (or the otpauth URL) is returned as part of the settings flow response. You do not need to generate it manually; Ory Kratos provides it as part of the flow [TOTP - Generate QR code and verify users provided code .NET Core](https://github.com/ory/kratos/discussions/4311). In summary: - Enable TOTP in your project. - Users go to their account settings and start the TOTP setup. - The UI will show the QR code to scan with an authenticator app. If you are not seeing the QR code, ensure that TOTP is enabled in your configuration and that you are accessing the correct section in the user interface.

Your identity schema configuration for TOTP looks correct. By adding the following to your schema:

json "<http://ory.sh/kratos|ory.sh/kratos>": {   "credentials": {     "totp": {       "account_name": true     }   } }

to both the

email

and

username

fields, you are instructing Ory Kratos to use those fields as the account name displayed in the authenticator app when users set up TOTP. This is the recommended way to configure TOTP with a custom identity schema [Custom identity schema for TOTP](https://www.ory.sh/docs/kratos/mfa/totp#custom-identity-schema). With this configuration, when a user initiates the TOTP setup flow (for example, in the Ory Account Experience under Account Settings > Authenticator App), the UI will display a QR code. The QR code will use the user's email or username as the account name in the authenticator app, depending on which field is present and configured. If you are not seeing the QR code in your UI, ensure that: - TOTP is enabled in your Ory Kratos configuration. - You are accessing the TOTP setup flow in the user interface. - Your identity schema is correctly applied to your project. If you are building a custom UI, the QR code (or the otpauth URL) is returned as part of the settings flow response from the Ory Kratos API, so you can render it yourself [TOTP - Generate QR code and verify users provided code .NET Core](https://github.com/ory/kratos/discussions/4311). In summary, your schema is correct for TOTP, and the QR code should be shown during the TOTP setup flow in the UI if everything is configured and enabled properly.

To retrieve the TOTP QR code as part of the settings flow, you should use the Get Settings Flow API endpoint in Ory Kratos. When TOTP setup is initiated, the response from this endpoint will include a UI node of type

img

in the

ui.nodes

array. This node contains the QR code as a base64-encoded image in the

src

attribute. API Endpoint:

GET /self-service/settings/flows?id=<flow_id>

- Replace

<flow_id>

with the ID of the current settings flow. How to find the QR code in the response: - Look for a node in

ui.nodes

where

type

is

img

and

group

is

totp

. - The QR code image will be in

attributes.src

as a base64-encoded PNG. Example node from the response:

json {   "type": "img",   "group": "totp",   "attributes": {     "src": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAQAAAAEAEAAAAAApiSv5AAAHP0lEQVR4nOyd0Y4kOwoFt1fz/...",     "id": "totp_qr",     "width": 256,     "height": 256,     "node_type": "img"   },   "messages": [],   "meta": {     "label": {       "id": 1050005,       "text": "Authenticator app QR code",       "type": "info"     }   } }

You can then render this image in your frontend by using the

src

value as the

src

attribute of an

<img>

tag [UI image nodes](https://www.ory.sh/docs/kratos/concepts/ui-user-interface#ui-image-nodes). Reference: The official answer in the Ory community confirms: > If configured correctly, the TOTP QR code is returned as part of the GetSettingsFlow response in base64 format [TOTP - Generate QR code and verify users provided code .NET Core](https://github.com/ory/kratos/discussions/4311) For more details, see the [Ory Kratos API reference for getSettingsFlow](https://www.ory.sh/docs/kratos/reference/api).

If you do not see a node with

"type": "img"

in your

getSettingsFlow

response, it usually means that the TOTP setup step has not been properly initiated or is not available for the current user/session. According to the official Ory answer, the QR code is only returned as part of the settings flow when TOTP is correctly configured and the user is in the process of pairing their authenticator app [TOTP - Generate QR code and verify users provided code .NET Core](https://github.com/ory/kratos/discussions/4311). Here are some things to check: 1. TOTP must be enabled in your Kratos configuration. 2. The user must not already have TOTP enabled. The QR code is only shown when the user is setting up TOTP for the first time. 3. You must be in the correct step of the settings flow. If the user is not in the TOTP setup step, the QR code node will not be present. 4. Your identity schema must be correct. From your previous message, your schema looks correct for TOTP. If all of the above are correct and you still do not see the

"type": "img"

node, the knowledge sources do not provide further troubleshooting steps or details about why the QR code might not appear. You may need to review your flow logic or consult additional Ory documentation or support channels. Summary: The QR code node (

"type": "img"

, group

"totp"

) should appear in the settings flow response only when TOTP setup is available and required for the user. If it does not, double-check your configuration and the user's TOTP status. The knowledge sources do not provide more specific troubleshooting steps for this scenario.

Certainly! Here’s a step-by-step guide to set up TOTP (Time-based One-Time Password) multi-factor authentication in Ory Kratos, based strictly on the official documentation: --- ### 1. Enable TOTP in Your Project Using Ory Console: - Go to Authentication → Two-factor auth in the [Ory Console](https://console.ory.sh/projects/current/mfa). - In the TOTP Authenticator App section, enable TOTP. - Set the display name (issuer) that users will see in their authenticator app. - Click Save. Using Configuration File: - Edit your identity config (e.g.,

identity-config.yaml

):

yaml     selfservice:       methods:         totp:           config:             issuer: <http://ExampleIssuer.com|ExampleIssuer.com>           enabled: true

- Update your project with the new config:

ory update identity-config --project <project-id> --workspace <workspace-id> --file identity-config.yaml

[Source: TOTP Setup Guide](https://www.ory.sh/docs/kratos/mfa/totp) --- ### 2. Ensure Your Identity Schema Supports TOTP Your identity schema should include the TOTP configuration under the relevant traits (e.g.,

email

,

username

):

json "<http://ory.sh/kratos|ory.sh/kratos>": {   "credentials": {     "totp": {       "account_name": true     }   } }

[Source: TOTP Custom Identity Schema](https://www.ory.sh/docs/kratos/mfa/totp#custom-identity-schema) --- ### 3. User Initiates TOTP Setup - The user logs in and navigates to the Authenticator App section in their account settings. - The UI will prompt the user to set up TOTP. --- ### 4. Retrieve the TOTP QR Code - When the user starts the TOTP setup, the Get Settings Flow API (

GET /self-service/settings/flows?id=<flow_id>

) will return a node in

ui.nodes

with

"type": "img"

and

"group": "totp"

. - The QR code is in

attributes.src

as a base64-encoded image. - If you do not see this node, ensure the user does not already have TOTP enabled and that you are in the correct step of the flow. [Source: Official Ory Answer](https://github.com/ory/kratos/discussions/4311) --- ### 5. User Scans the QR Code - The user scans the QR code with an authenticator app (e.g., Google Authenticator). - The app will generate 6-digit codes. --- ### 6. User Verifies the Code - The user enters the code from their authenticator app into the UI. - Ory Kratos verifies the code and, if correct, enables TOTP for the user. --- If you do not see the QR code in the settings flow response: - Double-check that TOTP is enabled in your config. - Make sure the user is in the TOTP setup step and does not already have TOTP enabled. - Ensure your identity schema is correct. If you follow these steps and still do not see the QR code, the knowledge sources do not provide further troubleshooting details. In that case, consider reaching out to Ory support or the community for more help. --- Let me know if you need more details on any specific step!

To log in with a 6-digit code from your authenticator app (using TOTP) in Ory Kratos, you need to use the TOTP login method during the login flow. Here’s how it works: 1. Start a Login Flow: Begin the login process as usual (e.g., via your app’s login page or by calling the login flow API). 2. Select the TOTP Method: When prompted for the authentication method, choose TOTP. 3. Submit the 6-digit Code: Enter the 6-digit code generated by your authenticator app (such as Google Authenticator) into the login form. 4. API Request Example: If you are integrating via API, you need to call the

updateLoginFlow

endpoint with the following payload:

json    {      "method": "totp",      "totp_code": "123456" // Replace with the code from your app    }

- The

csrf_token

may also be required for browser flows. This will authenticate the user using the TOTP code [Ory Kratos API Reference](https://www.ory.sh/docs/kratos/reference/api). Note: - The TOTP login method is only available if the user has previously set up TOTP for their account. - If you do not see the TOTP option during login, ensure that TOTP is enabled in your configuration and that the user has paired an authenticator app. For more details, see the [Ory Kratos API reference for updateLoginFlow](https://www.ory.sh/docs/kratos/reference/api).

The error message you are seeing:

"Could not find a strategy to log you in with. Did you fill out the form correctly?" (4010002)

indicates that the TOTP login strategy is not available for your login flow. According to the Ory documentation, this error typically means that either: - The TOTP method is not enabled in your Ory Kratos configuration, or - The user has not set up TOTP as a second factor, or - The login flow you are using does not expect a TOTP code at this stage. Key points to check: 1. TOTP must be enabled in your Kratos configuration: Make sure your configuration file includes:

yaml    selfservice:      methods:        totp:          config:            issuer: <http://ExampleIssuer.com|ExampleIssuer.com>          enabled: true

[Configure multi-factor authentication in Ory Kratos](https://www.ory.sh/docs/kratos/self-hosted/mfa) 2. The user must have TOTP set up: The TOTP login method is only available if the user has previously paired an authenticator app with their account [Time-based one-time passwords (TOTP)](https://www.ory.sh/docs/kratos/mfa/totp). 3. The login flow must require TOTP: The login flow will only accept a TOTP code if the user is required to perform multi-factor authentication. If the user is not prompted for TOTP, submitting a TOTP code will result in this error. 4. Correct method and payload: Your payload should look like this (without comments inside the JSON):

json    {      "csrf_token": "{{loginFlowCsrf}}",      "method": "totp",      "totp_code": "123456"    }

[Ory Kratos API Reference – updateLoginFlow](https://www.ory.sh/docs/kratos/reference/api) Summary: This error means the TOTP strategy is not available for this login flow. Double-check that TOTP is enabled, the user has set up TOTP, and the flow is at the correct step to accept a TOTP code. If these conditions are not met, the TOTP method will not be accepted and you will see this error [UI message 4010002](https://www.ory.sh/docs/kratos/concepts/ui-messages#could-not-find-a-strategy-to-log-you-in-with-did-you-fill-out-the-form-correctly-4010002). If you have confirmed all of the above and still encounter the issue, the knowledge sources do not provide further troubleshooting steps.