Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

any way to force users to set up 2fa on sign up?

This isn’t possible at the moment. Could you open an issue to track this?

Is this possible with custom sign-up flow? Can we do it on our own?

You could create a blocking post registration hook (if login after registration is enabled) and post login hook to force the user to setup mfa until they have an AAL2 session

I think in this case you also have to disable the session hook post registration (so the user does not get logged in immediately when they sign up).