You can enforce multi-factor authentication in one of two models:
- Strict, where secured operations always require the highest Authenticator Assurance Level (AAL).
- Lax, where the secured operations require only the
aal1Authenticator Assurance Level (AAL).
You can set the required authentication model for these operations/endpoints:
- User sign-in (getting an Ory Session) /
- Self-service user settings
Ory Cloud Console
In Ory Cloud projects, the default multi-factor authentication enforcement model is Strict.
To change it to Lax and allow users to sign in or access user settings without authenticating with the second factor, go to the Ory Cloud Console → Two-Factor Authentication and use the switches in the General Settings section.
Follow these steps to adjust the settings in Ory Cloud using the Ory CLI:
- Get the Identity Service configuration from your project and save it to a file:
## List all available projects
ory list projects
## Get config
ory get identity-config <project-id> --format yaml > identity-config.yaml
- Adjust the values of the indicated keys to the desired values:
aal1 for the Lax model and
highest_available for the Strict model.
- Update the Ory Cloud Identity Service configuration using the file you worked with:
ory update identity-config <project-id> --file identity-config.yaml
When working with self-hosted instances of the Ory Identity Service (Kratos), change the enforcement model by adjusting these keys in the configuration file: