Based on the information in the knowledge sources, there is no explicit documentation describing the exact scenario where a self-hosted Ory Kratos instance creates

identity_credentials

entries of type

webauthn

with only a

user_handle

in the config, and users are then prompted for 2FA they never enrolled in. However, here are some relevant points and possible causes, based on the available documentation: 1. WebAuthn Enrollment Process: Normally, a WebAuthn credential in the database should include more than just a `user_handle`—it should also have fields like

public_key

,

id

, and other authenticator metadata. If only

user_handle

is present, it suggests that the enrollment process was started but not completed, possibly due to an interrupted or failed registration flow. This could leave a partial credential record in the database, which might cause Kratos to think the user has enrolled in 2FA, even though they haven't finished the process [WebAuthn and FIDO2 (YubiKey) - Identity credentials](https://www.ory.sh/docs/kratos/mfa/webauthn-fido-yubikey#identity-credentials). 2. 2FA Enforcement Configuration: If your Kratos configuration enforces 2FA for users who have any second factor set up (even partially), these incomplete WebAuthn credentials could trigger the 2FA requirement. The configuration options for enforcing AAL (Authenticator Assurance Level) are described in the docs. If

session.whoami.required_aal

is set to

highest_available

, users with any 2FA method (even incomplete) will be required to complete 2FA to log in [Configure multi-factor authentication in Ory Kratos](https://www.ory.sh/docs/kratos/self-hosted/mfa). 3. Prevention: To prevent this issue: - Ensure that the WebAuthn registration flow is robust and cannot leave partial credentials in the database. This may require reviewing your UI and API integration to handle errors and incomplete flows gracefully. - Consider cleaning up incomplete or partial WebAuthn credentials from the database, especially those missing essential fields like

public_key

or

id

. - Review your AAL enforcement settings. If you want to avoid locking out users due to partial 2FA enrollments, you might set

session.whoami.required_aal

to

aal1

, which does not require 2FA for login unless fully configured [Configure multi-factor authentication in Ory Kratos](https://www.ory.sh/docs/kratos/self-hosted/mfa). Summary: The most likely cause is incomplete WebAuthn enrollments leaving partial credentials in the database, which then triggers 2FA enforcement. To prevent this, ensure the registration flow cannot leave partial credentials, clean up such entries, and review your AAL enforcement configuration. If you need more detailed troubleshooting or a fix, the knowledge sources do not provide further specifics on this scenario.

I'm sorry, but the knowledge sources do not explicitly explain why creating a new user via the Kratos API would automatically result in "empty" credentials of both password and webauthn type. The documentation describes how credentials are structured and how to configure identity schemas to support various credential types, but it does not mention automatic creation of empty credentials for all types when a user is created. This behavior may be related to your specific configuration or a version-specific implementation detail, but there is no direct information about this in the provided sources. If this is causing issues, you may want to review your identity schema and Kratos configuration to ensure that only the intended credential types are enabled or created for new users. If the problem persists, consider reaching out to the Ory community or support channels for further assistance.

Yes, the provided identity schema snippet is reasonable and aligns with the examples and recommendations in the Ory Kratos documentation. Your snippet:

json "email": {   "type": "string",   "format": "email",   "title": "E-Mail",   "minLength": 3,   "<http://ory.sh/kratos|ory.sh/kratos>": {     "recovery": {       "via": "email"     },     "credentials": {       "password": {         "identifier": true       },       "totp": {         "account_name": true       },       "webauthn": {         "identifier": true       }     }   } }

-

"recovery": { "via": "email" }

: Specifies that the email field is used for account recovery, which is standard practice [Account recovery address](https://www.ory.sh/docs/kratos/self-service/flows/account-recovery-password-reset#account-recovery-address). -

"credentials"

: Lists supported authentication methods for this field: -

password.identifier: true

: Email is used as the identifier for password login [Password login identifier](https://www.ory.sh/docs/kratos/manage-identities/customize-identity-schema#password-login-identifier). -

totp.account_name: true

: Email is shown as the account name in TOTP apps [TOTP custom identity schema](https://www.ory.sh/docs/kratos/mfa/totp#custom-identity-schema). -

webauthn.identifier: true

: Email is used as the identifier for WebAuthn [WebAuthn custom identity schema](https://www.ory.sh/docs/kratos/passwordless/passkeys#custom-identity-schema). This structure matches the documented examples and is a valid way to configure the email field for multiple authentication and recovery methods in Ory Kratos [Identity schema extensions](https://www.ory.sh/docs/kratos/manage-identities/customize-identity-schema#identity-schema-extensions). If you have additional requirements (such as verification), you may also add a

"verification": { "via": "email" }

block, as shown in some examples, but your current snippet is correct and reasonable.