This message was deleted.

Hello @proud-plumber-6787 If I understand correctly, and please do correct me if I get something wrong, you are looking to generate OTU tokens (so basically MFA?) for managing settings, verification and recovery. You can request MFA: https://www.ory.sh/docs/kratos/mfa/step-up-authentication There are basically three different options for MFA: Lookup Secrets (a.k.a. Backup Codes, Recovery Codes) TOTP (Temporary One Time Password) and WebAuthn https://www.ory.sh/docs/kratos/mfa/overview If you have an MFA option enabled, by default the settings flow requires MFA (you can disable this). So by default when there is MFA enabled the user will have to use a second factor to change any traits/data in their identity or their credentials. Verification and Recovery flows support magic links and a code strategy, the code strategy is recommended.

Hi Vincent! Thank you for the thorough and quick response! Based on your explanation, I think what I'm looking for is something like the "code strategy" that is supported in the verification/recovery flows, but the ability to generate custom OTU tokens that can be used in other flows. I want to be able to send a token to a user that allows them to update their email subscription settings, or to allow them to open a web view from our native application which maintains their logged in state (without them needing to provide credentials again). Are custom tokens of this nature currently supported?

Hey @proud-plumber-6787 apologies for the late answer! I started to write something but forgot to send it 🤦 I think you can use the lookup secrets for this. https://www.ory.sh/docs/kratos/mfa/lookup-secrets#identity-credentials You could request aal2 (so basically MFA) for the flows that should use this: https://www.ory.sh/docs/kratos/mfa/step-up-authentication Let me know if that sounds like something you could use. It is not the intended use case for the lookup secrets, but I think it could fit.

No worries, thank you for the response! Is there a way to limit the scope of access for the Lookup Secrets? We'd love to be able to provide a token that only allows a user to manage their email subscription status for example, but then require a full login in order to access all of their account data

Hey @proud-plumber-6787 not directly. You could implement something like this using a custom UI, for example for the settings page, that only shows part of the identity data for

aal1

and shows the full identity data for

aal2

Another possibility would be using OAuth2 / Ory Hydra, I am not sure what is the best implementation for your particular case. I would be happy to support you in implementing it though, as it might be something that other users also would be interested in. @bland-eye-99092 FYI, since you implemented the

code

strategy for verify etc.