Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Hello, we’ve just been dinged on a pentest with you for insufficient entropy on the verification / recovery codes. Is it possible to configure them to be longer / use a different character set?

No, the length is not configurable.
The flows are resilient against brute forcing the code though, because we limit each flow's submissions to 6 in total, after which the flow becomes voided and can't be used anymore.