Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

There seems to be a weird issue with the self-service flow and 2fa. If a user does not enter their 2FA code and then tries to log in again, they don’t get prompted for 2FA but instead get returned to the returnTo URL:

```<https://auth.maxroll.gg/self-service/login/browser?return_to=https://maxroll.gg/d3/logged-in?action=post-login&amp;after_verification_return_to=https://maxroll.gg/d3/logged-in?action=post-login>```


That depends on your configuration for the session AAL factor (aka enforce MFA)

It's turned off though. This seems like a bug

Do you have a reproducible example for us? That would be very helpful!