<@U04UQ68083H> what does the lookup_secret method ...
# ory-copilot
s
@chilly-king-10285 what does the lookup_secret method do in the identity selfservice config?
c
A message from kapa.ai
The
lookup_secret
method in the identity selfservice configuration is used to enable or disable the Lookup Secrets feature in Ory Kratos. Lookup Secrets, also known as Backup Codes or Recovery Codes, are a 2FA fail-safe mechanism. They can be used to complete the second factor when users lose access to their selected 2FA method. If you enable Lookup Secrets, users can download a server-generated set of one-time codes. Each code is valid for single use only and doesn't expire after a set amount of time. When the user generates a new set of codes, previously generated codes become invalid. To enable Lookup Secrets, you need to add the
lookup_secret
method to
selfservice/methods
in the configuration file and set
enabled
to `true`:
Copy code
yaml selfservice:     methods:       lookup_secret:         enabled: true
When the user generates and/or uses Lookup Secrets, Ory adds the following entries to the
credentials
object of the associated identity:
Copy code
yaml credentials:     password:       id: lookup_secret       identifiers:         # This is the identity's ID         - 802471b9-06f5-49d4-a88d-5e7d6bcfed22       config:         recovery_codes:           - code: 3zg9abc           - code: 1bc6bea             used_at: 2021-10-14T07:38:51Z
Sources: - [Configure multi-factor authentication in Ory Kratos > Lookup Secrets (Recovery Codes)](https://www.ory.sh/docs/kratos/self-hosted/mfa#lookup-secrets-recovery-codes) - [Lookup Secrets - a MFA fail-safe > Identity credentials](https://www.ory.sh/docs/kratos/mfa/lookup-secrets#identity-credentials)