Hi everyone,
I've been working on a project using ...
# generals
shy-wall-7656
06/12/2024, 5:19 AMHi everyone,
I've been working on a project using Ory Kratos (V1.1.0) for user authentication and management. While the sign-up and sign-in functionalities are working perfectly.
Now we want to have OTP validation over email for sign-in flow. I tried different combination of configurations, but it is not woking.
Will it work, with vanilla Kratos or do I need to develop custom hooks for it ?
I don't find configuration in Kratos yaml specification doc for OTP over email for sign-in.
Any advice or guidance on this would be greatly appreciated, thank you 🙏
m
magnificent-energy-493
06/12/2024, 9:09 AM
Hello @shy-wall-7656
You want to send users a 4 digit code that they can use to login?
This is the config you need:
Copy code
selfservice:
methods:
code:
passwordless_enabled: trues
shy-wall-7656
06/13/2024, 6:58 AMThanks @magnificent-energy-493. Yes, now I can able to login with password or code (sent over email).
I want user to first enter valid password and then code (sent over email), then only he/she should be able to sign-in
shy-wall-7656
06/18/2024, 4:15 AMHi everyone,
I've been working on a project using Ory Kratos (V1.1.0) for user authentication and management. While the sign-up and sign-in functionalities are working perfectly.
One of our requirement is to maintain password history for last 5 passwords. and while reseting password user should be restricted from using 5 old passwords.
How to configure it ?
d
dazzling-napkin-4938
06/18/2024, 7:27 AMI don’t believe you can do this purely with Kratos. You would need to build your own API that Kratos can call through a flow interrupting webhook for the
after settingsdazzling-napkin-4938
06/18/2024, 7:28 AMIf possible though I’d try and convince the decision maker not to do this. It goes against NIST recommended practices for passwords
s
shy-wall-7656
06/25/2024, 12:56 PMHi everyone,
I've been working on a project using Ory Kratos (V1.2.0) for user authentication and management. While the sign-up and sign-in functionalities are working perfectly.
One of our requirement is to send otp over email for each login flow after correct password is entered even if email id is verified already.
How to configure it?
m
magnificent-energy-493
06/25/2024, 1:13 PM
@shy-wall-7656
Hey I would be interested where this NIST best practice regarding password history/restricting password reuse is documented.
I looked through the doc and found nothing, but its quite long so I might have missed it. I have been looking at these documents: https://pages.nist.gov/800-63-3/
If possible can you maybe point me to the section?
NIST does recommend to do a check against breached passwords, which Ory implements with the haveibeenpwned API by default.
This combined with 2-factor auth is a very good protection IMO and preventing the user from reusing their last 5 password is IMO just sugar on top that does not change much regarding security (except mildly annoying the user).
The breached password detection will prevent them from using unsafe password.
magnificent-energy-493
06/25/2024, 1:16 PM
Also @shy-wall-7656
One of our requirement is to send otp over email for each login flow after correct password is entered even if email id is verified already.Do you mean you want to require a second factor on login?
s
shy-wall-7656
06/27/2024, 6:05 AMYes
m
magnificent-energy-493
06/27/2024, 7:39 AM
Hey @shy-wall-7656
In that case after login check the aal and if it is 1, you redirect the user with the
?aal=aal230 Views