Yes, you can determine whether a user has enrolled in a particular form of 2FA, such as TOTP or WebAuthn, by inspecting the user's identity object via the Kratos Admin API. When a user enables TOTP, for example, Ory Kratos adds entries to the credentials object of the associated identity. Specifically, you will find a credentials.totp section (and similarly for webauthn) in the identity's credentials field. This section contains configuration details, such as the TOTP URL, indicating that the user has enrolled in that 2FA method. Here is an example of what the credentials object might look like for a user with TOTP enabled:

credentials:     password:       id: totp       identifiers:         - 802471b9-06f5-49d4-a88d-5e7d6bcfed22       config:         # This is the TOTP URL which contains the pre-shared key and some additional meta-information.         totp_url: <otpauth://totp/Example:alice@example.org?secret=JBSWY3DPEHPK3PXP&issuer=Example>

You can retrieve the identity object using the Kratos Admin API and check for the presence of the relevant credentials (e.g., totp or webauthn) to determine if the user has enrolled in that 2FA method. The same approach applies for WebAuthn and other supported 2FA methods, as each will have a corresponding section in the credentials object if enabled for the user [Identity credentials](https://www.ory.sh/docs/kratos/mfa/totp#identity-credentials). If you need to check for WebAuthn, look for a credentials.webauthn section in the identity object. Please note that the knowledge sources do not provide a direct API call example, but the structure of the identity object and the presence of these credentials sections are clearly documented.

You are correct: the presence of the

credentials.webauthn

section alone does not guarantee that a user has actually enrolled in WebAuthn, as Ory Kratos may include this section even for users who have not registered a WebAuthn credential. To determine if a user has truly enrolled in WebAuthn, you should inspect the contents of the

credentials.webauthn.config.credentials

array within the identity object. If this array contains one or more entries, it indicates that the user has registered at least one WebAuthn credential. Each entry typically includes fields such as

display_name

,

added_at

,

id

,

public_key

, and other WebAuthn-specific values. If the array is empty or missing, the user has not enrolled in WebAuthn. Here is an example from the documentation showing a user with a registered WebAuthn credential:

yaml credentials:     password:       id: webauthn       identifiers:         - <mailto:alice@example.org|alice@example.org>       config:         credentials:           - display_name: my-key             added_at: "2022-03-06T09:45:18Z"             is_passwordless: false             id: P/psShpG+SOCxBqslynuxMors6oexs7RS09bSA/F9EI=             public_key: pQECAyYgASFYIJ0RRsaHJ2IQ6Eh11BPpHkdOl2DkICXg3rJVxSHQAsklIlgga0Tt2PqLlg/baAl20Y64JCllE71jDG+XzHfN6FT/S9I=             attestation_type: none             authenticator:               aaguid: AAAAAAAAAAAAAAAAAAAAAA==               sign_count: 1               clone_warning: false         user_handle: NDVP4/1nTj2CTFaItp/zXg==

So, to check if a user has enrolled in WebAuthn, look for at least one entry in

credentials.webauthn.config.credentials

 [Identity credentials](https://www.ory.sh/docs/kratos/mfa/webauthn-fido-yubikey#identity-credentials). The knowledge sources do not provide explicit information about the behavior for users who have never enrolled, but based on the documented structure, the presence of credential entries is the reliable indicator.

To ask Ory Kratos to include multiple credential types in the response, use the

include_credential

query parameter multiple times in your API request—once for each credential type you want to include. For example, to include both

password

and

oidc

credentials, your request would look like:

GET /admin/identities/{id}?include_credential=password&include_credential=oidc

This approach is documented in the API reference, which specifies that

include_credential

is an array-type query parameter and can be set to any supported credential type (such as

password

,

oidc

,

totp

, etc.) [Get an Identity](https://raw.githubusercontent.com/ory/kratos/master/spec/api.json). You can also use this approach with the list identities endpoint:

GET /admin/identities?include_credential=password&include_credential=oidc

This will include the specified credentials in the response for each identity [List identities](https://raw.githubusercontent.com/ory/kratos/master/spec/api.json). If you are using an SDK or client library, you would typically pass an array or list of credential types to the corresponding method parameter [Export identities](https://www.ory.sh/docs/kratos/manage-identities/export-user-accounts-identities).