Skip to main content

Step-up authentication

You can set up multi-factor authentication to work in one of two models:

  • Strict, where secured operations always require the highest Authenticator Assurance Level (AAL).
  • Lax, where the secured operations require only the aal1 Authenticator Assurance Level (AAL).

In Ory Network, the default multi-factor authentication enforcement model is Strict. This means that high-risk operations via self-service endpoints, such as updating user settings, require step-up authentication by default.

You can set the required authentication model for these operations/endpoints:

  • User sign-in (getting an Ory Session) / /sessions/whoami endpoint
  • Self-service user settings


To change the multi-factor authentication enforcement to Lax and allow users to sign in or access user settings without authenticating with the second factor, go to the Ory ConsoleTwo-Factor Authentication and use the switches in the General Settings section.

Step-up authentication settings in Ory Console

Trigger Dynamic Multi-Factor authentication

To protect your application's sensitive functions - like accessing payment details, an order history, or private content - you can make users complete a second authentication factor in their current session by initiating a new login flow using one of these endpoints with the aal parameter set to aal2:

For example:


If the Ory Session has aal2 already, this will error. In that case, you can request to refresh the session using the second factor:


When the user successfully provides their configured second factor:

  • The method, for example totp, is added to the Ory Session.
  • Ory Session Authenticator Assurance Level (AAL) is set to aal2.
  • The authenticated_at time is set to the time when the user provides the second factor.