The

lookup_secret

method in the identity selfservice configuration is used to enable or disable the Lookup Secrets feature in Ory Kratos. Lookup Secrets, also known as Backup Codes or Recovery Codes, are a 2FA fail-safe mechanism. They can be used to complete the second factor when users lose access to their selected 2FA method. If you enable Lookup Secrets, users can download a server-generated set of one-time codes. Each code is valid for single use only and doesn't expire after a set amount of time. When the user generates a new set of codes, previously generated codes become invalid. To enable Lookup Secrets, you need to add the

lookup_secret

method to

selfservice/methods

in the configuration file and set

enabled

to `true`:

yaml selfservice:     methods:       lookup_secret:         enabled: true

When the user generates and/or uses Lookup Secrets, Ory adds the following entries to the

credentials

object of the associated identity:

yaml credentials:     password:       id: lookup_secret       identifiers:         # This is the identity's ID         - 802471b9-06f5-49d4-a88d-5e7d6bcfed22       config:         recovery_codes:           - code: 3zg9abc           - code: 1bc6bea             used_at: 2021-10-14T07:38:51Z

Sources: - [Configure multi-factor authentication in Ory Kratos > Lookup Secrets (Recovery Codes)](https://www.ory.sh/docs/kratos/self-hosted/mfa#lookup-secrets-recovery-codes) - [Lookup Secrets - a MFA fail-safe > Identity credentials](https://www.ory.sh/docs/kratos/mfa/lookup-secrets#identity-credentials)