Skip to main content

Step-up authentication

You can set up multi-factor authentication to work in one of two models:

  • Strict, where secured operations always require the highest Authenticator Assurance Level (AAL).
  • Lax, where the secured operations require only the aal1 Authenticator Assurance Level (AAL).

You can set the required authentication model for these operations/endpoints:

  • User sign-in (getting an Ory Session) / /sessions/whoami endpoint
  • Self-service user settings

In the Ory Network, the default multi-factor authentication enforcement model is Strict. This means that high-risk operations such as updating user settings require step-up authentication by default.


To change the multi-factor authentication enforcement to Lax and allow users to sign in or access user settings without authenticating with the second factor, go to the Ory ConsoleTwo-Factor Authentication and use the switches in the General Settings section.

Step-up authentication settings in Ory Console

Trigger step-up authentication

You can make users complete a second authentication factor in their current session by initiating a new login flow using one of these endpoints with the aal parameter set to aal2:

For example:


If the Ory Session has aal2 already, this will error. In that case, you can request to refresh the session using the second factor:


When the user successfully provides their configured second factor:

  • The method, for example totp, is added to the Ory Session.
  • Ory Session Authenticator Assurance Level (AAL) is set to aal2.
  • The authenticated_at time is set to the time when the user provides the second factor.