Bypassing AAL2 in Settings Flow Using Email OTP fo...
# ory-network
h
Bypassing AAL2 in Settings Flow Using Email OTP for Both Factors With the following configuration:
Copy code
selfservice:
  methods:
    code:
      mfa_enabled: true
  flows:
    settings:
      required_aal: highest_available
A user who normally requires MFA to access settings ( has
available_aal = aal2
) can bypass the AAL2 requirement by using email OTP for both factors: 1. Start account recovery → receive an email OTP (recovery code) as the first factor. 2. Authenticate with that email OTP. 3. When prompted for MFA, use another email OTP (mfa email code) as the second factor. 4. Access the settings flow without providing a distinct second factor. Questions • Is this expected behavior in Kratos when
highest_available
is used? • How can we prevent the same factor from being used twice to meet the AAL2 requirement? • Should Kratos enforce a distinct second factor for AAL2?
m
I am not 100% sure here, but imo if you have OTP for login enabled, you should choose another option for MFA (e.g. TOTP or WebAuthn). There is also a notice in the Ory Console for this case:
One time codes (via email or phone) cannot be used for both MFA and passwordless.
Disable passwordless code sending to enable one-time code MFA.
h
Thanks both, it is a good point. At the same time, the user would be locked out of their account if we did not allow this as there is no way to achieve the second factor. But I agree, it‘s not fully MFAish because it‘s both OTP via mail. Generally, code MFA is edge case-y
h
but for a user who only has email code as their MFA method (with no other MFA like TOTP authenticator, etc.) and whose recovery method is code, if they want to recover access to their account and settings (to change their password for example), they are forced to do the same action twice in a row (first factor: email OTP for recovery, second factor: email OTP for MFA). So, is it really relevant or more secure to ask the user to repeat the exact same action twice?
h
You can change that by changing the required aal to aal1
if you choose to have email mfa which isn’t true mfa anyways, you will have to die one death / configure the product in a way to manage the trade offs
q
Hello, i work with Ali who is in my dev team, so if i understand if this solution is choosen, to changing the required aal to aal1, Is this a major safety risk?
Because one of old colleague which have a lot of knowledge in IAM, said it's so bad to change the required_aal for "settings" or "recover" from aal2 to aal1. For the security but also for user experience for authentication
h
"True" Multi-factor authentication (MFA) uses at least two different types of authentication factors to log in to an account. This is more secure than using multiple factors of the same type. If you're only using email OTP for both, then it's the same type (i.e. email), and not really following the multi-factor process. If using email OTP, then you should combine it with another type of authentication (not email) if you really want MFA, and ideally (really "true" MFA) this other factor should come from a different device and/or communication medium.