Olympus Docs
TroubleshootingAuth issues

Kratos session AAL too low

Session is AAL1 but operation requires AAL2

error: session_aal2_required
error_description: This action requires a higher authenticator assurance level

Some operations (changing password, disenrolling MFA, sensitive settings changes) require the session's authenticator_assurance_level to be at least aal2. The user's current session is aal1.

How AAL is computed

A session's AAL reflects the credentials actually used to establish it:

  • Password alone → AAL1
  • Password + TOTP → AAL2
  • Password + WebAuthn → AAL2
  • Social IdP login alone → AAL1

See Identity, Sessions, AAL, refresh for the full table.

When this error fires

  • Changing password in settings.
  • Disenrolling MFA (removing TOTP / WebAuthn).
  • Unlinking the last credential.
  • Administrative operations on the user's own identity from Athena (when Athena AAL2 is configured).

User-facing fix

The user needs to step up to AAL2 by completing their second factor:

GET /self-service/login/browser?aal=aal2&refresh=true

Hera renders only the AAL2 methods (TOTP code entry, WebAuthn challenge). After successful submission, the existing session is updated to AAL2; the user can retry the original operation.

App-facing fix

If your app initiates a sensitive settings flow, expect that Kratos may reject and tell you to step up. Catch the error and redirect:

try {
  await updateSettings(...);
} catch (e) {
  if (e.error_id === 'session_aal2_required') {
    window.location.href = `/self-service/login/browser?aal=aal2&refresh=true&return_to=${returnTo}`;
    return;
  }
  throw e;
}

The user steps up; Kratos redirects back; your code retries.

When AAL2 isn't enrolled

If the user has no MFA enrolled, they can't step up. Kratos's flow gracefully handles this, it returns the user to a settings flow where they can enroll TOTP or WebAuthn first.

When AAL2 isn't required but the error fires

Check kratos.yml:

selfservice:
  flows:
    settings:
      required_aal: aal1   # change to aal1 if you want password-only for settings

The default in Olympus is aal2 for security-sensitive flows. Lowering to aal1 weakens the security model.

Kratos flow expired

Flow expired before user completed it

Locked out of admin

You can't log into Athena because there's no working admin identity

On this page

How AAL is computedWhen this error firesUser-facing fixApp-facing fixWhen AAL2 isn't enrolledWhen AAL2 isn't required but the error firesRelated