Bypassing AAL2 in Settings Flow Using Email OTP for Both Fa Ory Community #ory-copilot

Bypassing AAL2 in Settings Flow Using Email OTP fo...

high-dawn-87261

02/21/2025, 8:56 AM

Bypassing AAL2 in Settings Flow Using Email OTP for Both Factors With the following configuration:

Copy code

selfservice:
  methods:
    code:
      mfa_enabled: true
  flows:
    settings:
      required_aal: highest_available

A user who normally requires MFA to access settings ( has

available_aal = aal2

) can bypass the AAL2 requirement by using email OTP for both factors: 1. Start account recovery → receive an email OTP (recovery code) as the first factor. 2. Authenticate with that email OTP. 3. When prompted for MFA, use another email OTP (mfa email code) as the second factor. 4. Access the settings flow without providing a distinct second factor. Questions • Is this expected behavior in Kratos when

highest_available

is used? • How can we prevent the same factor from being used twice to meet the AAL2 requirement? • Should Kratos enforce a distinct second factor for AAL2? (edited)

flaky-kilobyte-10585

02/21/2025, 9:50 AM

hi! You have to use @chilly-king-10285 to get an answer from the bot

brief-egg-61061

02/21/2025, 9:50 AM

A message from kapa.ai

brief-egg-61061

02/21/2025, 9:50 AM

I apologize, but I'm not sure I understand your question correctly. It seems like you might have intended to include some specific information or instructions, but they're missing from your message. As an AI assistant specialized in answering questions about Ory, I'm here to help with any queries related to Ory's products, services, or documentation. Could you please rephrase your question or provide more details about what you're trying to ask regarding Ory? I'll do my best to assist you based on the information available in the Ory documentation.

4 Views

Open in Slack

Previous Next