To log in with TOTP (Time-based One-Time Password) using Ory Kratos, you need to use the TOTP login method as part of the login flow. Here’s how you can do it: 1. Start a Login Flow: Initiate a login flow using the Ory Kratos API or your frontend. This will provide you with a flow ID and the necessary CSRF token if you are using a browser-based flow. 2. Submit the TOTP Code: In the login form or via API, submit the following payload to the

/self-service/login

endpoint (or the equivalent endpoint for your deployment):

json    {      "method": "totp",      "totp_code": "<the code from your authenticator app>",      "csrf_token": "<csrf token if required>"    }

-

method

should be set to

"totp"

. -

totp_code

is the 6-digit code generated by your TOTP app (e.g., Google Authenticator). -

csrf_token

is required for browser flows. Example request body (API reference):

json    {      "method": "totp",      "totp_code": "123456",      "csrf_token": "your-csrf-token"    }

[Ory API Reference – updateLoginFlow](https://www.ory.sh/docs/reference/api) 3. Successful Login: If the TOTP code is valid, the login flow will complete and you will be authenticated. Note: - TOTP must be enabled and configured for the user account before you can use it for login. Users typically pair their account with a TOTP app in the account settings before using TOTP for login. - If you need to enable TOTP in your Ory Kratos configuration, set the following in your config:

yaml    selfservice:      methods:        totp:          config:            issuer: <http://ExampleIssuer.com|ExampleIssuer.com>          enabled: true

[TOTP Configuration Guide](https://www.ory.sh/docs/kratos/mfa/totp) For more details on enabling and configuring TOTP, see the [Ory Kratos TOTP documentation](https://www.ory.sh/docs/kratos/mfa/totp).

To enable and configure TOTP for a user account in Ory Kratos, follow these steps: 1. Enable TOTP in Your Project Configuration - In the Ory Console: Go to Authentication → Two-factor auth and enable the TOTP Authenticator App. Set the display name (issuer) that users will see in their authenticator app and save the changes. - Using configuration file (for self-hosted or CLI): Edit your identity config to include:

yaml      selfservice:        methods:          totp:            config:              issuer: <http://ExampleIssuer.com|ExampleIssuer.com>            enabled: true

Then update your project configuration using the CLI as described in the docs [Docs > Kratos > Mfa > Time-based one-time passwords (TOTP)](https://www.ory.sh/docs/kratos/mfa/totp). 2. User Pairs Their Account with a TOTP App - After TOTP is enabled for the project, each user must pair their account with a TOTP app (like Google Authenticator or FreeOTP). - Users do this by signing in and navigating to the Authenticator App section of the Account Settings page in the Ory Account Experience. - There, they will be shown a QR code or a TOTP URL to scan or enter into their authenticator app. This step securely shares the secret needed to generate TOTP codes. > In the Ory Account Experience, users are not automatically prompted to enable TOTP for their accounts. To enable TOTP, users must sign in to their accounts and go to the Authenticator App section of the Account Settings page [Docs > Kratos > Mfa > Time-based one-time passwords (TOTP)](https://www.ory.sh/docs/kratos/mfa/totp). 3. TOTP Credential Storage - Once paired, Ory Kratos stores the TOTP secret in the user's identity credentials. The secret is used to verify the codes generated by the user's authenticator app [Identity credentials](https://www.ory.sh/docs/kratos/mfa/totp#identity-credentials). After these steps, the user can log in using TOTP as a second factor. If you need to customize the identity schema for TOTP (e.g., to display a specific trait in the authenticator app), see the [custom identity schema section](https://www.ory.sh/docs/kratos/mfa/totp#custom-identity-schema).