I'm interested in Ori Kratos for use in my project. We require a 2FA one-time code to be sent to the user via SMS or mail. After searching for a decent amount of time, I did not find a solution to this problem. Can you please tell me if it is possible to extend Ori Kratos to get this behavior?

I too wanted 2FA to be sent through SMS or email, but never found a solution. Instead, I've implemented it into our API as our own custom code, storing if sessions are 2FA authenticated, and rejecting requests if they aren't

😟

We also needed that but it's not yet available. I think that they could probably add this to Krratos in the future, as we can now send an OTP code for recovery flow and it already supports sending SMS

Yeah this was unfortunately a bit of a dealbreaker for us. I know SMS and email aren't best-in-class from a security standpoint but for apps with non-technically sophisticated users they are familiar to use and very easy to set up (and are still way better than having no MFA). In fact, for our user base, MFA is almost synonymous with SMS as the default assumed delivery method. Not to mention for mobile apps, SMS MFA offers much better UX than TOTP, an important consideration when driving to try adoption at scale.