Configure multi-factor authentication in Ory Kratos
Enforce MFA
When working with self-hosted instances of the Ory Identities (Kratos), change the enforcement model by adjusting the configuration file.
# ...
selfservice:
  flows:
    settings:
      required_aal: highest_available
# ...
session:
  whoami:
    required_aal: aal1
# ...
This configuration forces users to provide the highest authentication factor to access their account settings. For example, users without a second factor configured can access the settings after they sign in with their password. Users that have a second factor set up (such as a TOTP app) will must complete the second factor challenge to access account settings.
It will also allow users to use your application without completing a second factor.
If instead, you want all users that configured a second factor to complete the factor before using your app, set
session.whoami.required_aal to highest_available.
WebAuthn
To configure WebAuthn in your self-hosted Kratos instance, add the webauthn method to selfservice.methods in the Ory Kratos
configuration file:
selfservice:
  methods:
    webauthn:
      config:
        passwordless: false
        rp:
          display_name: SAMPLE_NAME
          # Set 'id' to the top-level domain.
          id: loginpage.com
          # Set 'origin' to the exact URL of the page that prompts the user to use WebAuthn. You must include the scheme, host, and port.
          origin: https://loginpage.auth.com:4455
      enabled: true
Pay special attention to the origin URL, as it has to match the scheme, host, and port of the page you're starting the flow
from.
Time-based one-time passwords (TOTP)
To configure TOTP in your self-hosted Kratos instance, add the totp method to selfservice/methods in the configuration file:
selfservice:
  methods:
    totp:
      config:
        # The "issuer" is the name in the TOTP application users see when getting a one-time password.
        issuer: ExampleIssuerForSelfHosted.com
      enabled: true
Lookup Secrets (Recovery Codes)
To configure lookup secrets, add the lookup_secret method to selfservice/methods in the configuration file:
selfservice:
  methods:
    lookup_secret:
      enabled: true