To enable 2FA via email (one-time code) for an identity in Ory Kratos, the identity must have a verifiable email address. If your identity currently does not have an email, you need to: 1. Update the Identity to Add an Email Address - Use the Ory Console or API to update the identity and add an email trait. The email field must be present in your identity schema and marked as verifiable. Example trait in your identity schema:

json    {      "traits": {        "email": "<mailto:user@example.com|user@example.com>"      }    }

Your identity schema should include:

json    "email": {      "type": "string",      "format": "email",      "<http://ory.sh/kratos|ory.sh/kratos>": {        "credentials": {          "password": { "identifier": true },          "code": { "identifier": true, "via": "email" }        },        "verification": { "via": "email" }      }    }

This marks the email as verifiable and usable for code-based 2FA and login [[Customize identity schemas](https://www.ory.sh/docs/kratos/manage-identities/customize-identity-schema#identity-schema-extensions)]. 2. Trigger the Email Verification Flow - The user must verify their email. You can trigger this by starting the verification flow (e.g., via the Ory Console, your UI, or API). - The user will receive a verification email with a code or link. Example API call to start verification (replace placeholders as needed):

bash    curl -X POST \      -H 'Content-Type: application/json' \      -H 'Accept: application/json' \      -b cookies.txt \      -d '{"method":"code","email":"<mailto:user@example.com|user@example.com>","csrf_token":"your-csrf-token"}' \      "https://$<http://PROJECT_SLUG.projects.oryapis.com/self-service/verification?flow=<your-flow-id|PROJECT_SLUG.projects.oryapis.com/self-service/verification?flow=<your-flow-id>>"

[[Submit verification flow](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#submit-verification-flow)] 3. User Completes Verification - The user clicks the link or enters the code received in their email to complete verification. 4. Enable 2FA via Email (One-Time Code) - In the Ory Console, go to Authentication → Two-factor auth and enable "one-time code multi factor authentication". - In your config, ensure:

yaml    code:      mfa_enabled: true

[[SMS and Email 2FA](https://www.ory.sh/docs/kratos/mfa/mfa-via-sms)] 5. Test 2FA via Email - When logging in, after the password step, the user will be prompted for a code sent to their verified email. Summary: You must update the identity to include a verifiable email, complete the email verification flow, and then enable 2FA via email in your project settings. Without a verified email, 2FA via email cannot be used [[Address verification](https://www.ory.sh/docs/kratos/self-service/flows/verify-email-account-activation)]. If you need more details on updating identities or triggering flows, let me know!