Hi, quick question! Still a vivid Kratos fan and user 😎 We're trying to enforce mfa/f2a using Kratos. Newly created users can couple TOTP, but they're not enforced to do so. Configuration has all the seemingly needed steps:

...
      methods:
        password:
          enabled: true
        totp:
          enabled: true
          config:
            issuer: <http://ory.test.info|ory.test.info>
...
    session:
      cookie:
        domain: <http://ory.test.info|ory.test.info>
      whoami:
        required_aal: highest_available
...
      flows:
        settings:
          required_aal: highest_available

and of course the identity has it enabled as well

"<http://ory.sh/kratos|ory.sh/kratos>": {
                  "credentials": {
                    "password": {
                      "identifier": true
                    },
                    "totp": {
                      "account_name": true
                    }
                  },

Anything we're missing?

I am not sure but I think you have to remove the session hook from registration flow 🤔 Is MFA also not enforced on login? Can you share your self-service flow config?

Hey Vincent, let me check our session hook! Also, the self-service login flow hasn't been touched yet, as it is executed client-side. I figured it shouldn't be enforced within that flow, or should it?