-
-
Notifications
You must be signed in to change notification settings - Fork 949
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Require new users to set up two factor auth during registration #3062
Comments
It would be expected to solve it like this:
This is a relatively easy approach in your middleware (which you'll need anyways to redirect to the 2fa login page!) and you have full control over when to show the screen or not. Adding such a config option to Kratos would just complicate things because now you need policy or adaptive mfa or whatever, because every company wants to solve MFA enrollment differently (some want to wait 7 days, others want to wait 3 days, others want to exclude user group A, and so on ...) |
Sadly, some of us rely on Ory to help us not think about these things too much, as it's a complex domain. I don't really understand what the flow is that you've described there, @aeneasr. Would we need to implement that in an app like the self-service example gives us?
|
Can you clarify what aal means @aeneasr ? |
Hey @designermonkey, you can see some descriptions of Authenticator Assurance Level (AAL) in the docs over here: https://www.ory.sh/docs/kratos/mfa/overview There are some descriptions of the different authentication methods, which are first or second factors, and what constitutes aal1 and aal2. |
Thanks @seeruk |
Preflight checklist
Describe your problem
There doesn't seem to be a way to force a user to set up 2FA on sign up. There are flags configuring it, you can require the various endpoints to require the highest level of auth ( such as userinfo ), but ory won't force users to configure their 2fa during sign up.
Describe your ideal solution
A way to configure 2FA during registration, or a way to add the setup to the registration flow ( Is this currently possible? It's unclear from flow docs if things like this can be done )
Workarounds or alternatives
None, as we need 2fa during registration
Version
latest
Additional Context
No response
The text was updated successfully, but these errors were encountered: