Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

<@U04UQ68083H> I'm using ory self-hosted kratos. When a user authenticates through code_recovery or link_recovery, is the Authenticator Assurance Level (AAL) set to `aal0` or `aal1` ?

The Authenticator Assurance Level (AAL) in Ory Kratos indicates how many authentication factors the identity has completed. However, the knowledge sources provided do not specify the AAL for the `code_recovery` or `link_recovery` methods specifically.  In general, `aal1` implies that one authentication factor was used, while `aal2` implies that two factors have been used. For example, a password and a TOTP would result in `aal2`. However, completing two first authentication factors doesn't give the user `aal2`. For instance, logging in with a `password` and `oidc` is still `aal1`.  For a definitive answer on the AAL for `code_recovery` or `link_recovery`, I would recommend referring to the [Ory Kratos documentation](<https://www.ory.sh/docs/kratos/mfa/overview#authenticator-assurance-level-aal>) or reaching out to the Ory community for further clarification.