Hi is there a way that forces users to do TOTP after registr Ory Community #ory-selfhosting

Hi, is there a way that forces users to do TOTP af...

famous-jackal-2829

06/02/2025, 1:33 PM

Hi, is there a way that forces users to do TOTP after registration? As I see in the doc, people can initialize it by themselves but I want to force them to do it and not let them choose i already have this

Copy code

methods:
    password:
      enabled: true
      config:
        min_password_length: 6
        identifier_similarity_check_enabled: false
        haveibeenpwned_enabled: false
    totp:
      enabled: true
      config:
        issuer: Kratos

square-napkin-92357

06/03/2025, 1:52 AM

Copy code

session:
  lifespan: 24h
  whoami:
    required_aal: highest_available
  cookie:
    same_site: Strict

This is the config to require TOTP

famous-jackal-2829

06/03/2025, 6:30 AM

@square-napkin-92357, I applied this config, but the user can still decide to activate the TOTP for themselves. I want to force them to activate it.

square-napkin-92357

06/03/2025, 7:00 AM

with

required_aal: highest_available

users must active TOTP, if not, they can login but the session is not enough level to do ....

square-napkin-92357

06/03/2025, 7:28 AM

It will show

famous-jackal-2829

06/03/2025, 7:39 AM

as I see in the doc this required_aal: highest_available makes all available security methods to perform to log in if one method is available like a password you can log in with that, so users that didn't activate their TOTP can log in with their password and use features as it said in https://www.ory.sh/docs/kratos/self-hosted/mfa If instead, you want all users that configured a second factor to complete the factor before using your app, set

session.whoami.required_aal

highest_available

. this works for all users that configured a second factor

Open in Slack

Previous Next