To use lookup secrets (also known as backup or recovery codes) in Ory Kratos, follow these steps: 1. Enable Lookup Secrets in Configuration First, ensure that lookup secrets are enabled in your Ory Kratos configuration. For self-hosted setups, add the following to your configuration file:

yaml    selfservice:      methods:        lookup_secret:          enabled: true

For Ory Network, you can enable this in the Ory Console under Authentication → Two-factor auth → Lookup Secrets and save your changes [Docs: Lookup Secrets - a MFA fail-safe](https://www.ory.sh/docs/kratos/mfa/lookup-secrets). 2. User Receives Lookup Codes When enabled, users can generate a set of one-time codes from the UI. These codes are displayed as a list and should be stored securely by the user. Each code can be used only once. If a new set is generated, previous codes become invalid. The codes do not expire by time, only by use. 3. Using Lookup Secrets for Authentication If a user loses access to their primary 2FA method (like TOTP or WebAuthn), they can use one of their lookup codes to complete the second-factor authentication step during login or recovery flows. The UI will prompt for a code, and the user enters one of their unused codes. 4. Regenerating and Confirming Codes Users can regenerate codes as needed. When new codes are generated, the user must confirm receipt (usually by a privileged session). Only after confirmation do the codes become valid. Used codes are marked as such in the identity’s credentials. 5. Security Recommendations - Store codes in a secure place, not in a password manager if possible. - Regenerate codes periodically. - Treat codes as sensitive as passwords, since anyone with access can use them to bypass 2FA if the primary method is unavailable. Example of how codes are stored in the identity object:

yaml credentials:   password:     id: lookup_secret     identifiers:       - <identity-id>     config:       recovery_codes:         - code: 3zg9abc         - code: 1bc6bea           used_at: 2021-10-14T07:38:51Z

[Docs: Lookup Secrets - a MFA fail-safe](https://www.ory.sh/docs/kratos/mfa/lookup-secrets) Summary: Enable lookup secrets in your configuration, let users generate and securely store their codes, and use them as a backup 2FA method when needed. Each code is single-use and should be kept safe. For more details and UI examples, see the [Ory documentation](https://www.ory.sh/docs/kratos/mfa/lookup-secrets).

I'm sorry, but the knowledge sources do not contain a screenshot or a specific picture showing where to enter a lookup secret code in the UI. However, the documentation does describe that when lookup secrets are enabled, users can use them as a backup 2FA method during login or recovery flows. The UI will prompt for a code, and the user should enter one of their unused codes at that step. The documentation also provides an example of how lookup secrets are displayed in the UI as a list of codes, but it does not show the exact input field for entering a code during authentication. Here is an example of how the codes might be presented in the UI, based on the JSON structure for UI text nodes:

json {   "type": "text",   "group": "lookup_secret",   "attributes": {     "text": {       "id": 1050015,       "text": "8qhkibka, 4m4m0l81, xh7ji7xk, ...",       "type": "info",       "context": {         "secrets": [           { "id": 1050009, "text": "8qhkibka", ... },           { "id": 1050009, "text": "4m4m0l81", ... }           // ...         ]       }     },     "id": "lookup_secret_codes",     "node_type": "text"   },   "messages": [],   "meta": {     "label": {       "id": 1050010,       "text": "These are your back up recovery codes. Please keep them in a safe place!",       "type": "info"     }   } }

[Understanding UI nodes and error messages](https://www.ory.sh/docs/kratos/concepts/ui-user-interface#ui-text-nodes) But the documentation does not provide a visual or step-by-step screenshot of the actual input field for entering a lookup secret during login or recovery. If you are building a custom UI, you would need to render an input field for the

lookup_secret

method as part of your login or recovery flow, as described in the integration basics documentation.