Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Hey there, does Ory have plan or maybe don’t want to provide Backup code for account recovery?
Not a fan of the one time code send by email, I would like to ditch email to avoid account take over with email compromission.

Ok just seen that the Lookup secret does that for the second factors. So if i’m not allowing password, and disabling recovery. I can have a Passkey only login with lookup secret in case of loss, I will test that.

Apparently it’s not possible to do account recovery with lookup secret.

I can signin 1FA with Passkey, and 2FA with Lookup Secret but would not able to use it as recovery

Ok I just get it, when password auth is disabled, the recovery codes are mandatory to reset Passkey.
That means it asks for it as a 2FA after entering the one time code received by email with the account recovery

That’s indeed perfectly securing the process.