Yes, you can enable or disable the requirement for a second factor (MFA) for self-service settings by updating the Ory Identities configuration, specifically the

required_aal

value under the

selfservice.flows.settings

key. This can be done using the Ory CLI and the REST API for updating project configuration. The process is as follows: 1. Download your current identity configuration using the Ory CLI or API. 2. Edit the configuration file to set

selfservice.flows.settings.required_aal

to either

highest_available

(to require the second factor if available) or

aal1

(to not require it). 3. Upload the updated configuration back to your project using the Ory CLI or API. Example configuration snippet:

yaml selfservice:   flows:     settings:       required_aal: highest_available  # or 'aal1' for lax mode

You can update the configuration using the CLI:

ory update identity-config --project <project-id> --workspace <workspace-id> --file identity-config.yaml

Or, if you use the REST API, you would use the endpoint for updating the identity configuration, which is available in Ory Network. The documentation does not provide a direct example of the REST API call, but the CLI uses the API under the hood, so this is possible. Note: There is no explicit mention in the knowledge sources of a dedicated REST API endpoint solely for toggling this setting, but updating the configuration via the API is supported and is the standard way to change this behavior in Ory Network and Ory Kratos deployments. The Ory Console and CLI are the recommended interfaces, but the underlying mechanism is a configuration update via API. For more details, see the official documentation on step-up authentication and configuration management: [Step-up authentication](https://www.ory.sh/docs/kratos/mfa/step-up-authentication) and [Configure multi-factor authentication in Ory Kratos](https://www.ory.sh/docs/kratos/self-hosted/mfa).