Yes. You can enforce MFA with TOTP in Ory by: - Enabling the TOTP method in your Identities (Kratos) config, setting the issuer, and turning it on. [[TOTP](https://www.ory.sh/docs/kratos/mfa/totp)] - Requiring the highest available AAL where needed: - For user settings (step-up on sensitive actions): set selfservice.flows.settings.required_aal to highest_available. [[Step-up auth](https://www.ory.sh/docs/kratos/mfa/step-up-authentication); [Self-hosted MFA](https://www.ory.sh/docs/kratos/self-hosted/mfa)] - To force users to complete a second factor before using your app, set session.whoami.required_aal to highest_available. [[Step-up auth](https://www.ory.sh/docs/kratos/mfa/step-up-authentication)] Config examples (self-hosted):

yaml selfservice:   methods:     totp:       config:         issuer: <http://ExampleIssuer.com|ExampleIssuer.com>       enabled: true   flows:     settings:       required_aal: highest_available  # step-up for settings session:   whoami:     required_aal: highest_available    # require MFA for app usage

Notes: - Users still need to enroll TOTP on their accounts after you enable it project-wide. [[TOTP](https://www.ory.sh/docs/kratos/mfa/totp)] - If you want to trigger a TOTP challenge on demand (dynamic step-up), initialize a login flow with aal=aal2 (and refresh=true if the session is already aal2). [[Step-up auth](https://www.ory.sh/docs/kratos/mfa/step-up-authentication)] If you’re on Ory Network, the same settings can be toggled in Console under Authentication → Two-factor auth. [[Step-up auth](https://www.ory.sh/docs/kratos/mfa/step-up-authentication); [Identities getting started](https://www.ory.sh/docs/identities/get-started/mfa)]

Short answer: - You can require a second factor (AAL2) for using the app or performing sensitive actions, which effectively forces users who have not enrolled a second factor yet to go set one up. However, the docs do not show a built-in way to make TOTP enrollment part of the login or registration flow itself. Users must enroll TOTP via the settings flow after you enable it. [[Step-up auth](https://www.ory.sh/docs/kratos/mfa/step-up-authentication); [TOTP](https://www.ory.sh/docs/kratos/mfa/totp)] What you can enforce today - Enable TOTP method project-wide. Users then pair a TOTP app under Account Settings. [[TOTP](https://www.ory.sh/docs/kratos/mfa/totp)] - Enforce AAL2 so users cannot use the app without completing a second factor: - Set session.whoami.required_aal to highest_available to force MFA for app usage. [[Step-up auth](https://www.ory.sh/docs/kratos/mfa/step-up-authentication)] - Keep or set selfservice.flows.settings.required_aal to highest_available to require step-up when changing settings. [[Step-up auth](https://www.ory.sh/docs/kratos/mfa/step-up-authentication)] - If you need to prompt for MFA on specific actions (dynamic step-up), initialize a login flow with aal=aal2 (and refresh=true if needed). [[Step-up auth](https://www.ory.sh/docs/kratos/mfa/step-up-authentication)] Why this enforces enrollment - When AAL2 is required but a user has no second factor configured, they’ll be blocked and will need to go to the settings flow to enroll (e.g., TOTP) before proceeding. The docs explicitly state users are responsible for enabling TOTP after it’s turned on for the project. [[TOTP](https://www.ory.sh/docs/kratos/mfa/totp)] About integrating TOTP setup into login or registration - The knowledge sources do not show a supported configuration to embed TOTP enrollment into the login or registration flow directly. Enrollment happens in the settings flow after account creation/sign-in. [[TOTP](https://www.ory.sh/docs/kratos/mfa/totp)] - You can still guide users there: after login, detect session_aal2_required and redirect the user to the settings page (e.g., with a #totp anchor) to complete enrollment. [[BYO UI 2FA](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-advanced-integration#two-factor-authentication)] Example (self-hosted) configuration snippet

yaml selfservice:   methods:     totp:       enabled: true       config:         issuer: <http://ExampleIssuer.com|ExampleIssuer.com>   flows:     settings:       required_aal: highest_available session:   whoami:     required_aal: highest_available

- This combination enables TOTP and requires AAL2 both for app usage and for accessing settings, which compels users to enroll a second factor. [[Self-hosted MFA](https://www.ory.sh/docs/kratos/self-hosted/mfa); [Step-up auth](https://www.ory.sh/docs/kratos/mfa/step-up-authentication); [TOTP](https://www.ory.sh/docs/kratos/mfa/totp)] If you’re on Ory Network - Use Console → Authentication → Two-factor auth to toggle enforcement (Strict model is default: highest_available). [[Step-up auth](https://www.ory.sh/docs/kratos/mfa/step-up-authentication); [MFA get-started](https://www.ory.sh/docs/identities/get-started/mfa)]