Ory Identities (Kratos) allows you to enforce multi-factor authentication (MFA) based on the configuration of your project. The enforcement is typically set at the flow or session level, such as requiring the highest available authentication assurance level (AAL) for all users when accessing sensitive operations like account settings or sessions. For example, you can set:

yaml selfservice:   flows:     settings:       required_aal: highest_available session:   whoami:     required_aal: highest_available

With this configuration, users who have a second factor configured will be required to complete MFA, while users without a second factor will only need their primary authentication (e.g., password). This means that enforcement is dynamic: only users who have set up MFA are required to use it, while others are not prompted for a second factor. This is the default and recommended approach in Ory Network and self-hosted Ory Kratos deployments. However, there is no built-in way to enforce MFA for a specific, arbitrary subset of users based on custom logic or user attributes—enforcement is based on whether the user has a second factor configured or not, not on other criteria like user roles or groups [Configure multi-factor authentication in Ory Kratos](https://www.ory.sh/docs/kratos/self-hosted/mfa) [Step-up authentication](https://www.ory.sh/docs/kratos/mfa/step-up-authentication). If you need more granular, attribute-based enforcement (e.g., only enforce MFA for users in a certain group), the knowledge sources do not describe a direct way to achieve this within Ory's built-in configuration. You may need to implement custom logic in your application layer to redirect or require step-up authentication for specific users based on your own criteria. In summary: - Ory enforces MFA for users who have a second factor configured, and not for those who do not. - There is no documented way to enforce MFA for arbitrary subsets of users beyond this mechanism. - For more granular control, you would need to implement custom logic outside of Ory's built-in configuration. If you need further details or examples, please let me know!