https://www.ory.sh/ logo
Join Slack
Powered by
<@U04UQ68083H> how do i add totp to my project
# ory-copilot
f
@chilly-king-10285 how do i add totp to my project
b
A message from kapa.ai
To add TOTP (Time-based One-Time Password) to your Ory project, follow these steps: ### 1. Enable TOTP in Your Project Using the Ory Console: 1. Log in to your [Ory Console](https://console.ory.sh/). 2. Select your workspace and project. 3. Navigate to AuthenticationTwo-factor auth. 4. In the TOTP Authenticator App section, enable TOTP. 5. Set the Display Name (this is what users see in their TOTP app). 6. Click Save. Using the Ory CLI: 1. Download your current identity configuration:
Copy code
sh    ory list workspaces    ory list projects --workspace <workspace-id>    ory get identity-config --project <project-id> --workspace <workspace-id> --format yaml > identity-config.yaml
2. Edit the configuration file to enable TOTP and set the issuer:
Copy code
yaml    selfservice:      methods:        totp:          config:            issuer: <http://ExampleIssuer.com|ExampleIssuer.com>          enabled: true
3. Update your configuration:
Copy code
sh    ory update identity-config --project <project-id> --workspace <workspace-id> --file identity-config.yaml
[Time-based one-time passwords (TOTP)](https://www.ory.sh/docs/kratos/mfa/totp) ### 2. User Enrollment After TOTP is enabled for your project, each user must pair their account with a TOTP app (like Google Authenticator or FreeOTP). In the Ory Account Experience, users do this by: - Signing in to their account. - Navigating to the Authenticator App section in Account Settings. - Following the instructions to pair their TOTP app. Users are not automatically prompted to enable TOTP; they must opt in via their account settings [Time-based one-time passwords (TOTP)](https://www.ory.sh/docs/kratos/mfa/totp). ### 3. (Optional) Custom Identity Schema If you use a custom identity schema and want to display a specific trait (like email) in the TOTP app, add a 
totp
section to the relevant trait in your schema:
Copy code
json "email": {   "type": "string",   "format": "email",   "<http://ory.sh/kratos|ory.sh/kratos>": {     "credentials": {       "totp": {         "account_name": true       }     }   } }
[Custom identity schema](https://www.ory.sh/docs/kratos/mfa/totp#custom-identity-schema) --- This will enable TOTP as a second factor for your users, increasing the security of your authentication flows.
f
@chilly-king-10285 i use hydra and kratos locally this is my identity.schema.json { "$id": "https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json", "$schema": "http://json-schema.org/draft-07/schema#", "title": "Person", "type": "object", "properties": { "traits": { "type": "object", "properties": { "email": { "type": "string", "format": "email", "title": "email", "minLength": 6, "ory.sh/kratos": { "credentials": { "password": { "identifier": true }, "totp": { "account_name": true } }, "verification": { "via": "email" } } } }, "required": [ "email" ], "additionalProperties": false } } } my hydra.yaml serve: cookies: same_site_mode: Lax public: cors: enabled: true allowed_origins: - http://127.0.0.1* - http://localhost* - https://kratos.qaap.io* - https://ory.qaap.io* - https://corteza.qaap.io* allowed_methods: - POST - GET - PUT - PATCH - DELETE allowed_headers: - Authorization exposed_headers: - Content-Type # Enable CORS for the admin endpoint only during local testing admin: cors: enabled: true allowed_origins: - http://127.0.0.1* - http://localhost* - https://kratos.qaap.io* - https://ory.qaap.io* - https://corteza.qaap.io* allowed_methods: - GET - POST - OPTIONS allowed_headers: - Content-Type exposed_headers: - Content-Type # 4444: Hydra public URL # 4455: Kratos UI: Kratos sign up, sign in, logout # 4434: Kratos admin URL urls: self: issuer: https://ory.qaap.io consent: https://kratos.qaap.io/auth/consent login: https://kratos.qaap.io/auth/login logout: https://kratos.qaap.io/auth/logout identity_provider: url: https://kratos.qaap.io/admin secrets: system: - CHANGE_ME_TO_REAL_SECRET oidc: subject_identifiers: supported_types: - pairwise - public pairwise: salt: CHANGE_ME_TO_REAL_SECRET log: leak_sensitive_values: true level: info my kratos.yml version: v1.3.1 dsn: postgres://kratos:secret@postgres:5432/kratos?sslmode=disable serve: public: base_url: https://kratos.qaap.io cors: enabled: true admin: base_url: https://kratos.qaap.io/admin selfservice: default_browser_return_url: https://kratos.qaap.io/auth allowed_return_urls: - https://kratos.qaap.io/auth methods: password: enabled: true config: min_password_length: 6 identifier_similarity_check_enabled: false haveibeenpwned_enabled: false flows: error: ui_url: https://kratos.qaap.io/auth/error settings: ui_url: https://kratos.qaap.io/auth/settings privileged_session_max_age: 15m required_aal: highest_available logout: after: default_browser_return_url: https://kratos.qaap.io/auth/login login: ui_url: https://kratos.qaap.io/auth/login registration: ui_url: https://kratos.qaap.io/auth/registration after: password: hooks: - hook: session log: format: text leak_sensitive_values: true level: info secrets: cookie: - CHANGE_ME_TO_REAL_SECRET cipher: - 32-LONG-SECRET-NOT-SECURE-AT-ALL identity: default_schema_id: default schemas: - id: default url: file:///etc/config/kratos/identity.schema.json # Important: identity schema oauth2_provider: url: http://hydra:4445 how to add totp to this structure ?
b
A message from kapa.ai
To add TOTP (Time-based One-Time Password) to your local Ory Kratos and Hydra setup, you need to update your Kratos configuration to enable the TOTP method and (optionally) set the issuer. Your identity schema is already correctly configured for TOTP, as it includes the necessary 
totp
section under the 
email
trait. Here’s how to proceed: --- ### 1. Update your Kratos configuration (
kratos.yml
) Add the 
totp
method under 
selfservice.methods
and set it to enabled. You can also specify the issuer name that will appear in users’ authenticator apps.
Copy code
yaml selfservice:   methods:     password:       enabled: true       config:         min_password_length: 6         identifier_similarity_check_enabled: false         haveibeenpwned_enabled: false     totp:       enabled: true       config:         issuer: <http://ExampleIssuerForSelfHosted.com|ExampleIssuerForSelfHosted.com>   flows:     # ... (rest of your config)
Note: Place the 
totp
block at the same level as 
password
under 
selfservice.methods
in your 
kratos.yml
file. [Reference: Configure multi-factor authentication in Ory Kratos](https://www.ory.sh/docs/kratos/self-hosted/mfa) --- ### 2. Restart Kratos After updating the configuration, restart your Kratos service to apply the changes. --- ### 3. User Enrollment Users can now enroll TOTP as a second factor via the settings flow in your UI. When they do, Kratos will generate a TOTP secret and provide a QR code for pairing with an authenticator app (like Google Authenticator). The QR code and secret are managed by Kratos and exposed via the settings flow API. [Reference: Time-based one-time passwords (TOTP)](https://www.ory.sh/docs/kratos/mfa/totp) --- ### 4. (Optional) Adjust Enforcement You already have 
required_aal: highest_available
under 
selfservice.flows.settings
, which means users with a second factor configured will be required to complete the TOTP challenge for sensitive operations. [Reference: Configure multi-factor authentication in Ory Kratos](https://www.ory.sh/docs/kratos/self-hosted/mfa) --- Summary: - Add the 
totp
method to your 
kratos.yml
under 
selfservice.methods
. - Restart Kratos. - Users can now enroll TOTP via the settings UI. If you need to customize the identity schema further for TOTP, your current schema already includes the recommended configuration for the 
email
trait, so no changes are needed there. If you have any issues with the QR code or TOTP pairing, ensure your UI is correctly handling the settings flow and displaying the QR code provided by Kratos. The TOTP URL is included in the flow response as described in the [official answer here](https://github.com/ory/kratos/discussions/4311).
f
@chilly-king-10285 what should i put for issuer
b
A message from kapa.ai
For the TOTP issuer, you should set it to the name you want your users to see in their authenticator app when they add your service. This is typically your application's name or your organization's domain. For example, if your app is called "ExampleApp," you might use:
Copy code
yaml selfservice:   methods:     totp:       enabled: true       config:         issuer: ExampleApp
The documentation states: > The "issuer" is the name in the TOTP application users see when getting a one-time password. [Configure multi-factor authentication in Ory Kratos](https://www.ory.sh/docs/kratos/self-hosted/mfa) Choose a value that clearly identifies your service to your users.
f
i did this config but it doesnt add it for me @chilly-king-10285
b
A message from kapa.ai
If you have enabled the TOTP method in your 
kratos.yml
as described, but it is not appearing as an option for your users, here are some things to check based on the official Ory documentation: 1. Configuration Placement: Ensure that the 
totp
method is placed under 
selfservice.methods
in your 
kratos.yml
, at the same level as `password`:
Copy code
yaml    selfservice:      methods:        password:          enabled: true          # ...        totp:          enabled: true          config:            issuer: ExampleApp
2. Restart Kratos: After making changes to your configuration, you must restart the Kratos service for the changes to take effect. 3. User Enrollment Flow: TOTP is not automatically enabled for users. Each user must go to the Account Settings page and pair their account with a TOTP app. In the Ory Account Experience, users are not automatically prompted to enable TOTP; they must opt in via their account settings. If your UI does not expose this flow, users will not see the option to add TOTP [Time-based one-time passwords (TOTP)](https://www.ory.sh/docs/kratos/mfa/totp). 4. Identity Schema: Your identity schema already includes the recommended configuration for TOTP under the 
email
trait, so this should not be the issue. 5. UI Integration: If you are using a custom UI, ensure you are correctly handling the settings flow and displaying the TOTP setup option. The QR code and secret are provided by Kratos in the settings flow response. 6. Logs and Errors: Check the Kratos logs for any errors or warnings related to TOTP or the settings flow. Sometimes, misconfiguration or missing fields can cause the method not to appear. If you have checked all of the above and TOTP still does not appear, the knowledge sources do not provide further troubleshooting steps for this specific issue. You may want to review your UI integration or consult the [official documentation](https://www.ory.sh/docs/kratos/mfa/totp) for additional details. If you encounter a specific error message, please provide it for more targeted help.
f
@chilly-king-10285 i use this ui version: '3.7' services: # PostgreSQL for Hydra hydra-postgres: image: postgres:15 environment: POSTGRES_DB: hydra POSTGRES_USER: hydra POSTGRES_PASSWORD: secret ports: - "5430:5432" volumes: - hydra_postgres_data:/var/lib/postgresql/data networks: - intranet restart: unless-stopped # PostgreSQL for Kratos kratos-postgres: image: postgres:15 environment: POSTGRES_DB: kratos POSTGRES_USER: kratos POSTGRES_PASSWORD: secret ports: - "5431:5432" volumes: - kratos_postgres_data:/var/lib/postgresql/data networks: - intranet restart: unless-stopped # Hydra migration hydra-migrate: image: oryd/hydra:latest environment: - DSN=postgres://hydra:secret@hydra-postgres:5432/hydra?sslmode=disable command: migrate -c /etc/config/hydra/hydra.yml sql -e --yes volumes: - ./config:/etc/config/hydra restart: on-failure depends_on: - hydra-postgres networks: - intranet # Hydra service hydra: image: oryd/hydra:latest ports: - "4444:4444" # Public port - "4445:4445" # Admin port - "5555:5555" # Port for hydra token user volumes: - ./config:/etc/config/hydra environment: - DSN=postgres://hydra:secret@hydra-postgres:5432/hydra?sslmode=disable command: serve -c /etc/config/hydra/hydra.yml all --dev restart: unless-stopped depends_on: - hydra-migrate - hydra-postgres networks: - intranet # Kratos migration kratos-migrate: image: oryd/kratos:latest environment: - DSN=postgres://kratos:secret@kratos-postgres:5432/kratos?sslmode=disable volumes: - ./config:/etc/config/kratos command: -c /etc/config/kratos/kratos.yml migrate sql -e --yes restart: on-failure depends_on: - kratos-postgres networks: - intranet # Kratos service kratos: depends_on: - kratos-migrate - kratos-postgres image: oryd/kratos:latest ports: - '4433:4433' # public - '4434:4434' # admin restart: unless-stopped environment: - DSN=postgres://kratos:secret@kratos-postgres:5432/kratos?sslmode=disable command: serve -c /etc/config/kratos/kratos.yml --dev --watch-courier volumes: - ./config:/etc/config/kratos networks: - intranet # Kratos Self-Service UI kratos-selfservice-ui-node: image: oryd/kratos-selfservice-ui-node:latest ports: - "4455:4455" environment: - KRATOS_PUBLIC_URL=http://kratos:4433 - KRATOS_BROWSER_URL=https://kratos.qaap.io - HYDRA_ADMIN_URL=http://hydra:4445 - PORT=4455 - COOKIE_SECRET=SuperSecretCookie - CSRF_COOKIE_NAME=__OryKratosApp - CSRF_COOKIE_SECRET=SuperSecretCookieCsrf networks: - intranet restart: on-failure networks: intranet: volumes: hydra_postgres_data: kratos_postgres_data:
b
A message from kapa.ai
Based on your setup, you are using the official Ory Kratos Self-Service UI (
oryd/kratos-selfservice-ui-node
). According to the knowledge sources, when TOTP is enabled in your Kratos configuration and your identity schema is set up correctly (which yours is), users should be able to enroll TOTP as a second factor through the Account Settings page in the UI. However, the knowledge sources do not provide explicit details about the TOTP enrollment experience in the 
kratos-selfservice-ui-node
container. The official documentation and discussions focus on the Ory Account Experience and custom UIs, and they state that users must go to the Authenticator App section of the Account Settings page to pair their TOTP app. If your UI does not expose this flow, users will not see the option to add TOTP, even if it is enabled in Kratos. This is a common issue if the UI is not up-to-date with the latest Kratos features or if the settings flow is not fully implemented for TOTP support in the UI you are using [Time-based one-time passwords (TOTP)](https://www.ory.sh/docs/kratos/mfa/totp). What you can do: - Make sure you are accessing the Settings page in your UI after logging in. - If you do not see the TOTP option, it is likely that the 
kratos-selfservice-ui-node
does not support TOTP enrollment out of the box, or your version is outdated. - The knowledge sources do not provide a way to enable TOTP in the UI if it is not already present. If this is the case, you may need to implement the TOTP enrollment flow yourself or use a different UI that supports it. Summary: If TOTP is enabled in your Kratos config and your identity schema is correct, but you do not see the TOTP option in the UI, the most likely reason is that the 
kratos-selfservice-ui-node
does not support TOTP enrollment in its current version. The knowledge sources do not provide a solution for enabling TOTP in this UI if it is missing. You may need to check for updates to the UI or implement the TOTP flow yourself. If you have further questions or encounter specific errors, please provide more details for targeted help.
Open in Slack
PreviousNext
Powered by