Enable Kratos MFA support (TOTP / WebAuthn)

## Description
Enable and integrate Multi-Factor Authentication (MFA) via Ory Kratos. Kratos supports TOTP (authenticator apps) and WebAuthn (security keys, passkeys) as second factors. This story covers the server-side configuration and integration work needed to support MFA for Alkemio users.

## Goal
- Strengthen account security with a second authentication factor
- Support ISO 27001 control A.8.5 (Secure authentication)
- Enable MFA enforcement for privileged accounts (admins, space owners)

## Acceptance Criteria
- [ ] Enable TOTP second factor in Kratos identity schema and configuration
- [ ] Enable WebAuthn second factor in Kratos configuration
- [ ] Update Kratos identity schema to support MFA settings per user
- [ ] Server handles MFA-related session attributes correctly
- [ ] MFA enrollment flow works end-to-end (setup, verify, login with 2FA)
- [ ] MFA recovery codes generation and usage
- [ ] Document MFA configuration for deployment (Helm values, env vars)
- [ ] Integration tests for MFA login flows

## Parent Epic
[alkemio#1677](https://github.com/alkem-io/alkemio/issues/1677) — Ory Updates to latest (Oathkeeper + Hydra + Kratos)

## Related
- [infra-ops#1953](https://github.com/alkem-io/infrastructure-operations/issues/1953) — MFA on email accounts (Kratos native identities)


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Enable Kratos MFA support (TOTP / WebAuthn) #5913

Description

Goal

Acceptance Criteria

Parent Epic

Related

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Enable Kratos MFA support (TOTP / WebAuthn) #5913

Description

Description

Goal

Acceptance Criteria

Parent Epic

Related

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions