Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Hello, I think it would be beneficial to prevent a user from setting their new password to something they previously used (ie check some kind of password history). From what I can find in docs, this is not possible. Even if the user goes through the account recovery flow, the ory settings API accepts the current password instead of requiring something different.

In our case, we have an invite flow where we generate and email a temporary password to the user. Then, we force them to change it after first login by sending them to our custom ory settings UI where they enter a new password. The settings api, however, accepts the current/original password instead of requiring something different.

You could generate a recovery link and include that in the email, instead of generating a random temporary password - that’s how Ory suggest doing invite flows:

<https://www.ory.sh/docs/kratos/manage-identities/invite-users>

You could probably implement the behaviour you want through webhooks, but I’m not sure exactly

You should really use recovery codes/links instead, as they can only be used once.