Hi 👋 Can anybody give me a hint how to enforce 2FA being configured before letting a user log into my system with Ory Identity (via OIDC)? Interrogating @chilly-king-10285 did not help here, sadly.

Have you looked here: https://www.ory.sh/docs/kratos/mfa/step-up-authentication There is a setting that if enabled allows login without a second factor, If disabled they will be requested to have a second factor.

Hi Jeff! Yup, I did check that doc. I have these settings toggled, or rather I have “Require second factor for login” in a bit different (older?) Ory Network Admin UI, but as the UI says > If users do not have a second-factor set up, this configuration does not affect them. As for using

/self-service/login/browser?aal=aal2

, I would be happy to, but I’m authenticating users through OIDC (Hydra), and I see no means to force Hydra to start a login flow with

aal=all2

. Any tips on how to do that?

I think you would have to use a custom UI to achieve this. Let me look into it a bit and see if we can overload the redirect to login/consent.

Hey Jeff 👋 I know it’s early in the morning for you, but I just want to share thoughts I have accumulated so far. First of all, I would really like to avoid doing anything on the frontend side. I don’t exactly have enough FE skills, but most importantly because one can’t enforce security purely on the FE — a competent malicious actor would remove any

aal=aal2

parameter from a login redirect just as easily as we add it. Perhaps, I could’ve used a login webhook to raise the

requested_aal

in a login flow, but as far as I see there is no admin API to modify a flow. Another option with webhooks is to trigger a validation “failure” if we infer that a user is using just a password with OIDC, however the UX of it would be very bad — it’s limited to adding a red text under a specified UI field, and that’s it. There is, of course, an option to look for something like

"amr":["password"]

in the userinfo when handling an OIDC callback and reject this call, but that would mean writing Ory-specific tweaks in otherwise standard flow. If we look at Okta, for example, there are authentication policies, which can be assigned to “apps” (OIDC clients) and apply regardless of what comes from the frontend.

I think this would be a great suggestion. Maybe something you can open in the Ory repo for Hydra or Kratos or Network (depending on what you are using).

We’re on Network currently. Just to clarify, what suggestion are we talking of — Okta-like authentication policies?

I think you can share 2 thoughts here that are solid ideas: one is a setting per Oauth2 client to enforce 2FA the other is to allow Hydra to support additional query string parameters.

Filed https://github.com/ory/network/issues/431 for 2FA enforcement. As for “to allow Hydra to support additional query string parameters”, I’m not really sure what to request. As you may guess, I’m not a fan of client-side parameters when it comes to security 😁

Thanks for filing it! I’m thinking less for security and more for additional functionality and convenience, but that’s ok, I have one internally I created. I’ll point the team at your issue to get some eyes on it. Thank you!