Skip to main content

Step-up authentication

You can set up multi-factor authentication to work in one of two models:

  • Strict, where secured operations always require the highest Authenticator Assurance Level (AAL).
  • Lax, where the secured operations require only the aal1 Authenticator Assurance Level (AAL).

You can set the required authentication model for these operations/endpoints:

  • User sign-in (getting an Ory Session) / /sessions/whoami endpoint
  • Self-service user settings

In the Ory Network, the default multi-factor authentication enforcement model is Strict. This means that high-risk operations such as updating user settings require step-up authentication by default.

Configuration

To change the multi-factor authentication enforcement to Lax and allow users to sign in or access user settings without authenticating with the second factor, go to the Ory ConsoleTwo-Factor Authentication and use the switches in the General Settings section.

https://console.ory.sh/

Step-up authentication settings in Ory Console

Trigger step-up authentication

You can make users complete a second authentication factor in their current session by initiating a new login flow using one of these endpoints with the aal parameter set to aal2:

For example:

/self-service/login/browser?aal=aal2
/self-service/login/api?aal=aal2
note

If the Ory Session has aal2 already, this will error. In that case, you can request to refresh the session using the second factor:

/self-service/login/browser?refresh=true&aal=aal2
/self-service/login/api?refresh=true&aal=aal2

When the user successfully provides their configured second factor:

  • The method, for example totp, is added to the Ory Session.
  • Ory Session Authenticator Assurance Level (AAL) is set to aal2.
  • The authenticated_at time is set to the time when the user provides the second factor.