I'm sorry, but the knowledge sources do not contain explicit information about configuring the validity period (valid time) for TOTP codes in Ory Kratos. The available documentation covers how to enable and configure TOTP, set the issuer, and pair TOTP apps, but does not mention an option to set the TOTP code's time window or validity duration. The default behavior is that TOTP codes are typically valid for 30 seconds, as is standard for TOTP, but this is not described as configurable in the provided sources [Time-based one-time passwords (TOTP)](https://www.ory.sh/docs/kratos/mfa/totp). If you need to adjust the TOTP validity period, you may need to consult the Ory Kratos source code or open an issue with the Ory team for further guidance.

I'm sorry, but the knowledge sources do not contain information about configuring the TOTP code validity period (such as setting it to 2 minutes) in Ory Kratos. The documentation describes how to enable and configure TOTP, but does not mention any option to change the default validity window for TOTP codes. The standard TOTP validity is typically 30 seconds, and there is no documented setting to extend this to 2 minutes [Time-based one-time passwords (TOTP)](https://www.ory.sh/docs/kratos/mfa/totp). If you require this functionality, you may need to consult the Ory Kratos source code or reach out to the Ory team for further support.

Based on the knowledge sources, this is a common scenario when integrating Ory Kratos (for authentication) and Ory Hydra (for OAuth2/OIDC). When a user logs in via Kratos and then accesses another app that uses OIDC with Hydra, they may be prompted to log in again, especially if the session is not shared or recognized between the apps. How to avoid repeated password verification or change the login UI: 1. Session Sharing and Prompt Behavior: - Hydra uses the

prompt=none

parameter to check for an existing session. If Hydra does not detect a valid session, it will require the user to authenticate again. This is standard OIDC behavior. If the session is not shared or recognized, the user will be prompted to log in again, even if they just logged in via Kratos. - According to the Hydra documentation, this is expected: > prompt=none instructs Ory OAuth2 & OpenID Connect to not display the login or consent user interface pages. An error is returned if an End-User isn’t already authenticated... This can be used as a method to check for existing authentication and/or consent. - If you want to avoid this, you need to ensure that the session cookie set by Kratos is available and valid for Hydra as well. This typically requires both services to be on the same domain and to share cookie settings (such as SameSite, domain, etc.) [The /oauth2/auth endpoint redirects with an error indicating no session after signing in](https://github.com/ory/network/issues/194). 2. Changing the Login UI Page: - You can change the login UI page by updating the

ui_url

in your Kratos configuration:

yaml      selfservice:        flows:          login:            ui_url: <https://your-app.com/auth/login>

- This will redirect users to your custom login page when authentication is required [Configure User Interface](https://www.ory.sh/docs/kratos/guides/deploy-kratos-example#configure-user-interface). 3. Session Lifespan and Re-authentication: - If you want to control how often users are required to re-authenticate, you can adjust the session lifespan in Kratos:

yaml      selfservice:        flows:          login:            lifespan: 10m  # Set to your desired session duration

- However, this controls the login flow's lifespan, not the session itself. For session settings, you may need to adjust cookie settings and session management in both Kratos and Hydra. 4. Hydra Login URL: - In Hydra, you can set the login URL to point to your custom login page:

yaml      urls:        login: <https://your-app.com/auth/login>

- This ensures that when Hydra requires authentication, it redirects to your specified login UI [Registration flow doesn't return to consent flow after verification via ajax api when using with kratos+hydra](https://github.com/ory/kratos/issues/4233). Summary: To avoid repeated password prompts, ensure session cookies are shared and valid across your apps and Ory services. You can customize the login UI by updating the

ui_url

in Kratos and the

login

URL in Hydra. There is no documented way to completely disable password verification when Hydra requires authentication, as this is part of the OIDC security model. If you need more advanced session sharing or SSO, you may need to review your deployment architecture and cookie settings to ensure seamless authentication across your applications.