sparse-father-97864
06/07/2024, 7:24 PMchilly-king-10285
06/07/2024, 7:24 PMchilly-king-10285
06/07/2024, 7:25 PMlookup_secret
method in the identity selfservice configuration is used to enable or disable the Lookup Secrets feature in Ory Kratos. Lookup Secrets, also known as Backup Codes or Recovery Codes, are a 2FA fail-safe mechanism. They can be used to complete the second factor when users lose access to their selected 2FA method. If you enable Lookup Secrets, users can download a server-generated set of one-time codes. Each code is valid for single use only and doesn't expire after a set amount of time. When the user generates a new set of codes, previously generated codes become invalid. To enable Lookup Secrets, you need to add the lookup_secret
method to selfservice/methods
in the configuration file and set enabled
to `true`: yaml selfservice: methods: lookup_secret: enabled: true
When the user generates and/or uses Lookup Secrets, Ory adds the following entries to the credentials
object of the associated identity: yaml credentials: password: id: lookup_secret identifiers: # This is the identity's ID - 802471b9-06f5-49d4-a88d-5e7d6bcfed22 config: recovery_codes: - code: 3zg9abc - code: 1bc6bea used_at: 2021-10-14T07:38:51Z
Sources: - [Configure multi-factor authentication in Ory Kratos > Lookup Secrets (Recovery Codes)](https://www.ory.sh/docs/kratos/self-hosted/mfa#lookup-secrets-recovery-codes) - [Lookup Secrets - a MFA fail-safe > Identity credentials](https://www.ory.sh/docs/kratos/mfa/lookup-secrets#identity-credentials)