faint-action-73893
07/02/2025, 1:51 PMbrief-egg-61061
07/02/2025, 1:51 PMbrief-egg-61061
07/02/2025, 1:51 PMDELETE /admin/identities/{id}/credentials/totp
This endpoint removes the TOTP credential, effectively resetting 2FA for that user. The user can then log in again and set up 2FA from scratch. This approach is confirmed as the recommended solution by Ory team members [Disable 2FA and/or Recovery Codes for an Identity via the Identity Admin API](https://github.com/ory/network/issues/378). You can also use the API to fetch recovery codes or 2FA setup keys if needed, but deleting the credential is the cleanest way to reset 2FA. --- Summary: - There is no explicit "reset 2FA" button in the Ory Account Experience UI; admin intervention is required. - Use the Admin API to delete the 2FA credential for the user to reset their 2FA setup. If you need more details on the exact API endpoints and usage, refer to the [Ory API reference](https://www.ory.sh/docs/reference/api#tag/identity/operation/deleteIdentityCredentials).faint-action-73893
07/03/2025, 7:08 AMbrief-egg-61061
07/03/2025, 7:08 AMbrief-egg-61061
07/03/2025, 7:08 AMfaint-action-73893
07/03/2025, 1:32 PMbrief-egg-61061
07/03/2025, 1:32 PMbrief-egg-61061
07/03/2025, 1:33 PMDELETE /admin/identities/{id}/credentials/totp
- Replace {id}
with the user's identity ID. - This will remove the TOTP credential, allowing the user to set up TOTP again [deleteIdentityCredentials](https://www.ory.sh/docs/reference/api#tag/identity/operation/deleteIdentityCredentials). --- ### 2. Set Up TOTP Again After deletion, the user can re-enroll TOTP using the settings flow: 1. Start a Settings Flow The native app should initiate a settings flow for the user. 2. Submit TOTP Setup in the Settings Flow The user submits a request to add TOTP. The request body should include: - `method`: set to "totp"
- `totp_code`: the code generated by the user's authenticator app (after scanning the new QR code) - `csrf_token`: not required for native apps Example request body: json { "method": "totp", "totp_code": "123456" }
If you want to remove TOTP (as part of a reset), you can also use the totp_unlink
parameter set to true
in the settings flow [updateSettingsFlow](https://raw.githubusercontent.com/ory/kratos/master/spec/api.json). --- Summary of Steps: 1. Admin deletes TOTP credential via DELETE /admin/identities/{id}/credentials/totp
. 2. User starts a settings flow and sets up TOTP again by submitting the new TOTP code via the settings API. --- Note: - Deleting credentials requires admin privileges. - The user must complete the TOTP setup flow after deletion to re-enable 2FA. If you need more details on the exact endpoints and request formats, refer to the [Ory API reference](https://www.ory.sh/docs/reference/api#tag/identity/operation/deleteIdentityCredentials).faint-action-73893
07/03/2025, 1:34 PMbrief-egg-61061
07/03/2025, 1:34 PMbrief-egg-61061
07/03/2025, 1:34 PM