diff --git a/docs/kratos/mfa/01_overview.mdx b/docs/kratos/mfa/01_overview.mdx index 9ea9cccf6..15d88deff 100644 --- a/docs/kratos/mfa/01_overview.mdx +++ b/docs/kratos/mfa/01_overview.mdx @@ -19,7 +19,7 @@ By enabling two-factor authentication in your project, you introduce an addition or self-service actions, such as updating account information or credentials, from malicious actors. For example, you might decide to require a user to log in with two factors right at the start of the session. Alternatively, you could allow the user to start the session by logging in with the first factor and only require the second factor at the point -where the user is about to perform a security-sensitive operation. Read more about this in the +where the user is about to perform a security-sensitive operation. Read more about dynamic MFA in the [step-up authentication](https://www.ory.sh/docs/kratos/mfa/step-up-authentication) document. ## Available methods diff --git a/docs/kratos/mfa/05_step-up-authentication.mdx b/docs/kratos/mfa/05_step-up-authentication.mdx index bc648c912..da071a0a5 100644 --- a/docs/kratos/mfa/05_step-up-authentication.mdx +++ b/docs/kratos/mfa/05_step-up-authentication.mdx @@ -1,7 +1,7 @@ --- id: step-up-authentication -title: Use step-up authentication to protect high-risk operations -sidebar_label: Step-up authentication +title: Use dynamic multi-factor (step-up) authentication to protect high-risk operations +sidebar_label: Dynamic Multi-Factor Authentication --- # Step-up authentication @@ -17,14 +17,14 @@ You can set up multi-factor authentication to work in one of two models: - **Strict**, where secured operations always require the highest Authenticator Assurance Level (AAL). - **Lax**, where the secured operations require only the `aal1` Authenticator Assurance Level (AAL). +In Ory Network, the default multi-factor authentication enforcement model is **Strict**. This means that high-risk operations via +self-service endpoints, such as updating user settings, require step-up authentication by default. + You can set the required authentication model for these operations/endpoints: - User sign-in (getting an Ory Session) / `/sessions/whoami` endpoint - Self-service user settings -In the Ory Network, the default multi-factor authentication enforcement model is **Strict**. This means that high-risk operations -such as updating user settings require step-up authentication by default. - ## Configuration ```mdx-code-block @@ -95,10 +95,11 @@ Follow these steps to adjust the settings in the Ory Network using the Ory CLI: ``` -## Trigger step-up authentication +## Trigger Dynamic Multi-Factor authentication -You can make users complete a second authentication factor in their current session by initiating a new login flow using one of -these endpoints with the `aal` parameter set to `aal2`: +To protect your application's sensitive functions - like accessing payment details, an order history, or private content - you can +make users complete a second authentication factor in their current session by initiating a new login flow using one of these +endpoints with the `aal` parameter set to `aal2`: - [`/self-service/login/browser`](../../reference/api.mdx#operation/initializeSelfServiceLoginFlowForBrowsers) - [`/self-service/login/api`](../../reference/api.mdx#operation/initializeSelfServiceLoginFlowWithoutBrowser)