To reset 2FA (two-factor authentication) for a user in Ory, you have two main approaches: using the UI (Ory Console/Account Experience) and using REST API calls. --- ## 1. Resetting 2FA via the UI The knowledge sources do not provide a direct, end-user self-service flow for "resetting" 2FA (such as removing or re-enrolling a second factor) from the Ory Account Experience UI. Typically, users can pair a new TOTP device by going to the Authenticator App section in their account settings, but there is no explicit documentation on a "reset" or "remove" action for 2FA in the UI. If a user loses access to their 2FA device, the standard recovery flow is to use account recovery (e.g., via email) to regain access, but this does not reset or remove the 2FA device itself. Admin intervention may be required in such cases [Account recovery and password reset](https://www.ory.sh/docs/kratos/self-service/flows/account-recovery-password-reset). --- ## 2. Resetting 2FA via REST API If a user loses access to their 2FA device and cannot recover using standard flows, an administrator can reset (delete) the 2FA credentials for that user using the Ory Admin API. This is done by deleting the relevant credential (e.g., TOTP or lookup_secret) for the identity: Example: Delete TOTP credentials for an identity

DELETE /admin/identities/{id}/credentials/totp

This endpoint removes the TOTP credential, effectively resetting 2FA for that user. The user can then log in again and set up 2FA from scratch. This approach is confirmed as the recommended solution by Ory team members [Disable 2FA and/or Recovery Codes for an Identity via the Identity Admin API](https://github.com/ory/network/issues/378). You can also use the API to fetch recovery codes or 2FA setup keys if needed, but deleting the credential is the cleanest way to reset 2FA. --- Summary: - There is no explicit "reset 2FA" button in the Ory Account Experience UI; admin intervention is required. - Use the Admin API to delete the 2FA credential for the user to reset their 2FA setup. If you need more details on the exact API endpoints and usage, refer to the [Ory API reference](https://www.ory.sh/docs/reference/api#tag/identity/operation/deleteIdentityCredentials).

The standard flow to recover 2FA (two-factor authentication) in Ory is to use the account recovery process. This process allows users who have lost access to their second authentication factor (such as a TOTP device) to regain access to their account by proving ownership of their recovery address (typically their email). Here’s how the standard 2FA recovery flow works: 1. Initiate Account Recovery: The user starts the recovery flow, usually by clicking a "Recover Account" link on the login page. 2. Verify Recovery Address: The user enters their recovery email address. Ory sends a one-time code (default and recommended) or a magic link (legacy) to the provided email address, depending on the configured recovery method [Account recovery and password reset](https://www.ory.sh/docs/kratos/self-service/flows/account-recovery-password-reset). 3. Enter Code or Click Link: The user enters the received code or clicks the link to verify ownership of the email address. 4. Privileged Session & Password Reset: Upon successful verification, the user is granted a privileged session and is redirected to the settings page, where they must set a new password to regain access to their account. > The account recovery flow doesn't reset the user's second authentication factor. This means that after recovery, the 2FA device is still required for future logins unless an administrator intervenes to reset or remove the 2FA credential [Account recovery and password reset](https://www.ory.sh/docs/kratos/self-service/flows/account-recovery-password-reset). Important: - If the user cannot access their 2FA device and has no recovery codes, admin intervention is required to remove or reset the 2FA credential using the Admin API [Disable 2FA and/or Recovery Codes for an Identity via the Identity Admin API](https://github.com/ory/network/issues/378). Summary: - The standard flow is: initiate recovery → verify email → set new password → regain access. - 2FA is not automatically reset; admin action is needed if the user cannot access their 2FA device. For more details, see the [Ory account recovery documentation](https://www.ory.sh/docs/kratos/self-service/flows/account-recovery-password-reset).

To delete and then set up TOTP (2FA) again from a Native App using REST API, you would follow these steps: --- ### 1. Delete the TOTP Credential As an admin, you can delete the TOTP credential for a specific identity using the following endpoint:

DELETE /admin/identities/{id}/credentials/totp

- Replace

{id}

with the user's identity ID. - This will remove the TOTP credential, allowing the user to set up TOTP again [deleteIdentityCredentials](https://www.ory.sh/docs/reference/api#tag/identity/operation/deleteIdentityCredentials). --- ### 2. Set Up TOTP Again After deletion, the user can re-enroll TOTP using the settings flow: 1. Start a Settings Flow The native app should initiate a settings flow for the user. 2. Submit TOTP Setup in the Settings Flow The user submits a request to add TOTP. The request body should include: - `method`: set to

"totp"

- `totp_code`: the code generated by the user's authenticator app (after scanning the new QR code) - `csrf_token`: not required for native apps Example request body:

json    {      "method": "totp",      "totp_code": "123456"    }

If you want to remove TOTP (as part of a reset), you can also use the

totp_unlink

parameter set to

true

in the settings flow [updateSettingsFlow](https://raw.githubusercontent.com/ory/kratos/master/spec/api.json). --- Summary of Steps: 1. Admin deletes TOTP credential via

DELETE /admin/identities/{id}/credentials/totp

. 2. User starts a settings flow and sets up TOTP again by submitting the new TOTP code via the settings API. --- Note: - Deleting credentials requires admin privileges. - The user must complete the TOTP setup flow after deletion to re-enable 2FA. If you need more details on the exact endpoints and request formats, refer to the [Ory API reference](https://www.ory.sh/docs/reference/api#tag/identity/operation/deleteIdentityCredentials).

The knowledge sources indicate that the standard account recovery flow in Ory is designed to verify that the user controls the recovery address (typically their email). After successful recovery, the user is granted a privileged session and can reset their password. However, the recovery flow does not automatically reset or remove the user's second authentication factor (such as TOTP); this must be done by an administrator using the Admin API [Account recovery and password reset](https://www.ory.sh/docs/kratos/self-service/flows/account-recovery-password-reset). The documentation does not explicitly state that the recovery flow is intended to certify user authenticity for sensitive actions like deleting TOTP credentials. It only certifies that the user has access to the recovery address, which is a common but not the strongest form of identity verification. For higher assurance, Ory recommends using additional security mechanisms such as TOTP or WebAuthn for critical actions [Address verification](https://www.ory.sh/docs/kratos/self-service/flows/verify-email-account-activation). In summary: - The recovery flow is the standard way to verify user ownership of the recovery address, but it is not specifically designed to authorize sensitive actions like deleting TOTP. - For stronger assurance, consider requiring additional authentication factors (e.g., TOTP, WebAuthn) before allowing deletion of 2FA credentials. - The knowledge sources do not mention a better built-in alternative for certifying user authenticity for this purpose. If you need the highest level of assurance, you may need to implement additional verification steps beyond the standard recovery flow, as the recovery flow alone may not be sufficient for high-security actions.