Olympus Docs
ReferenceMFA methods

Step-up auth

User starts AAL1; for sensitive operations, Kratos requires AAL2 escalation before allowing.

AAL escalation

Spec:

Provides AAL: AAL1 → AAL2 mid-session

Summary

User starts AAL1; for sensitive operations, Kratos requires AAL2 escalation before allowing.

Strengths

  • Doesn't force MFA at every login
  • Friction only when needed

Weaknesses

  • Requires careful integration in your app

Enrollment

Same as the underlying methods (TOTP/WebAuthn).

Recovery

Same as the underlying methods.

Olympus specifics

Sensitive Kratos flows (settings, credential change) require AAL2 by default.

Email/SMS code

Code sent to a verified channel (email or phone) and entered.

OIDC claims

Standard and Olympus-specific OIDC claims

On this page

AAL escalationSummaryStrengthsWeaknessesEnrollmentRecoveryOlympus specificsRelated