Hi, we’re trying to configure the TOTP and Lookup Secrets for the self service flows. We’re wondering if users should be able to set up the two 2FA methods in parallel? We’ve added both to our kratos config and we’re able to set the 2FA using totp when logged in using

submitSelfServiceSettingsFlow

and passing in a

SubmitSelfServiceSettingsFlowWithTotpMethodBody

flow body. This works great and we’re able to use it to log in. We also want to add recovery codes (lookup secrets) parallel to the totp 2FA. So that if a user has lost access to their totp device they can use their codes. When a user adds 2FA (totp) to their account we want to generate the codes automatically and add them as a backup to that account. We’re able to generate the recovery codes and confirm them by calling

submitSelfServiceSettingsFlow

and passing in a

SubmitSelfServiceSettingsFlowWithLookupMethodBody

but after that they seem to be set as the only option for 2FA? When we next try to login the only option for 2FA is to use the recovery codes. We’re only getting the

lookup_secrets

node back in the flow ui and no

totp

nodes? Here is the kratos config:

selfservice:
  default_browser_return_url: <http://127.0.0.1:8084/>
  whitelisted_return_urls:
    - <http://127.0.0.1:8084>

  methods:
    profile:
      enabled: true
    password:
      enabled: true
    link:
      enabled: true
      config:
        lifespan: 15m
    oidc:
      enabled: true
      config:
        providers:
          - id: github
 DO NOT CHANGE IT ONCE SET!
            provider: github
            client_id: [REDACTED]
            client_secret: [REDACTED]
            mapper_url: file:///etc/config/kratos/oidc.github.jsonnet
            scope:
              - user:email
          - id: google
DO NOT CHANGE IT ONCE SET!
            provider: google
            client_id: [REDACTED
            client_secret: [REDACTED]
            mapper_url: file:///etc/config/kratos/oidc.google.jsonnet
            scope:
              - email
              - profile
            requested_claims:
              id_token:
                email:
                  essential: true
                email_verified:
                  essential: true
                given_name:
                  essential: true
                family_name: null
                hd: null # If you want the G Suite domain
    totp:
      enabled: true
      config:
        issuer: <http://Comnoco.io|Comnoco.io>
    lookup_secret:
      enabled: true

Is anyone able to help us understand or solve this please? 🙏 We’re a little confused!