Can I start with normal login and initiate MFA later, on “dangerous” operations? ex: Github asks you for password for sensitive area. But MFA instead

Hey, yes you can implement that with "Authenticator Assurance Level" https://www.ory.sh/docs/kratos/concepts/credentials#authenticator-assurance-level-2-aal2 aal2 is what you are looking for, requiring MFA for certain flows, most common is settings (changing password/email etc.)

Thank you! I am moving forward with integration as Kratos meets most of our needs. Look forward contribute to Kratos and other tools.