high-dawn-87261
02/21/2025, 8:48 AMselfservice:
methods:
code:
mfa_enabled: true
flows:
settings:
required_aal: highest_available
A user who normally requires MFA to access settings ( has available_aal = aal2
) can bypass the AAL2 requirement by using email OTP for both factors:
1. Start account recovery → receive an email OTP (recovery code) as the first factor.
2. Authenticate with that email OTP.
3. When prompted for MFA, use another email OTP (mfa email code) as the second factor.
4. Access the settings flow without providing a distinct second factor.
Questions
• Is this expected behavior in Kratos when highest_available
is used?
• How can we prevent the same factor from being used twice to meet the AAL2 requirement?
• Should Kratos enforce a distinct second factor for AAL2?magnificent-energy-493
One time codes (via email or phone) cannot be used for both MFA and passwordless.
Disable passwordless code sending to enable one-time code MFA.
high-optician-2097
high-dawn-87261
02/21/2025, 3:14 PMhigh-optician-2097
high-optician-2097
quick-kitchen-25227
02/24/2025, 8:46 AMquick-kitchen-25227
02/24/2025, 8:58 AMhundreds-match-36539
02/25/2025, 2:57 AM