The issue where the second factor (MFA) screen does not display a text field to enter the code, even though the user has a verified email address, can occur due to several reasons in Ory Kratos or Ory Network: 1. UI Bug with Certain Login Methods (OIDC + MFA): There is a known issue when a user has both OIDC (OpenID Connect) and MFA (such as TOTP) enabled. After logging in via OIDC, the MFA prompt may appear without a form field to enter the code, making it impossible for the user to complete the MFA step. This issue does not occur with password-based logins, only with OIDC and MFA together. This is a UI/flow bug and not a configuration issue on your part. The Ory team is aware of this problem, as reported in a GitHub issue, and it is specific to the combination of OIDC and MFA flows. If you are using OIDC, this is likely the cause of your problem [MFA not supported with OIDC](https://github.com/ory/network/issues/399). 2. Missing or Incorrect MFA UI Configuration: If you are self-hosting and have not set the

selfservice.flows.mfa.ui_url

in your configuration, users may be redirected to a fallback page that does not provide the correct UI for entering the MFA code. Ensure that your configuration includes the correct MFA UI URL:

yaml    selfservice:      flows:        mfa:          ui_url: <http://my-app.com/mfa>

You can also set this using the

SELFSERVICE_FLOWS_MFA_UI_URL

environment variable [MFA UI configuration](https://www.ory.sh/docs/kratos/fallback/mfa). 3. Custom UI Implementation Issues: If you are using a custom UI, ensure that your UI correctly renders the fields required for the MFA step. The UI should handle the flow and display the input field for the code when the session requires AAL2. If the UI does not handle the

session_aal2_required

error or the flow data properly, the field may not appear [Advanced UI integration](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-advanced-integration#two-factor-authentication). If you are not using OIDC and your configuration is correct, but the field still does not appear, it may be a bug in your UI or a misconfiguration. Double-check your configuration and UI implementation as described above. If you are using OIDC as a login method, this is a known limitation and currently not fully supported for MFA flows in Ory Network [MFA not supported with OIDC](https://github.com/ory/network/issues/399).