To force users to log in using email/password and then require TOTP as a second factor (AAL2) in Ory Kratos, you need to: 1. Enable password and TOTP authentication methods in your identity schema and configuration. 2. Enforce AAL2 for login or specific flows, so users must complete both factors. ### 1. Configure Identity Schema Ensure your identity schema marks email as the identifier for password and TOTP:

json {   "$id": "<https://example.com/registration.schema.json>",   "$schema": "<http://json-schema.org/draft-07/schema#>",   "title": "Person",   "type": "object",   "properties": {     "traits": {       "type": "object",       "properties": {         "email": {           "type": "string",           "format": "email",           "<http://ory.sh/kratos|ory.sh/kratos>": {             "credentials": {               "password": { "identifier": true },               "totp": { "account_name": true }             }           }         }       }     }   } }

[Customize identity schema - examples](https://www.ory.sh/docs/kratos/manage-identities/customize-identity-schema#examples) ### 2. Enable TOTP in Kratos Configuration In your Kratos config file:

yaml selfservice:   methods:     password:       enabled: true     totp:       enabled: true       config:         issuer: <http://ExampleIssuerForSelfHosted.com|ExampleIssuerForSelfHosted.com>

[Configure TOTP](https://www.ory.sh/docs/kratos/self-hosted/mfa) ### 3. Enforce AAL2 for Login To require both password and TOTP (AAL2) for login, set the required AAL in your configuration:

yaml session:   whoami:     required_aal: aal2

or, for specific flows (e.g., settings):

yaml selfservice:   flows:     settings:       required_aal: highest_available

[Enforce MFA](https://www.ory.sh/docs/kratos/self-hosted/mfa) ### 4. User Flow - User enters email and password. - If TOTP is configured, Kratos prompts for the TOTP code. - Only after both are provided does the session reach AAL2. ### 5. Programmatic Enforcement If you want to enforce AAL2 in your app, check the session’s AAL and redirect if not sufficient:

js const session = await ory.toSession({ cookie: req.header("cookie") }) if (session.authenticator_assurance_level !== "aal2") {   res.redirect(`${process.env.ORY_SDK_URL}/self-service/login/browser?aal=aal2`) }

[Check AAL](https://www.ory.sh/docs/identities/get-started/mfa#check-aal) --- Summary: Enable both password and TOTP, set

required_aal: aal2

for the login/session, and ensure your identity schema supports both. This will force users to log in with email/password and then complete TOTP for AAL2.