Skip to main content

2FA Look-up Secrets and Recovery Codes

Lookup secrets (lookup_secret) are passwords generated by the server. These passwords can only be used once, and the end-user typically downloads them, stores them in their password manager, or writes them down. Lookup secrets are commonly used when the end-user loses access to their TOTP or WebAuthn device!

Generating new recovery codes

Configuration​

Enabling this method is as easy as setting

kratos.config.yml
selfservice:
  methods:
    lookup_secret:
      enabled: true

Identity Credentials​

The lookup_secret method would generate a credentials block as follows:

credentials:
  password:
    id: lookup_secret
    identifiers:
      # This is the identity's ID
      - 802471b9-06f5-49d4-a88d-5e7d6bcfed22
    config:
      recovery_codes:
        - code: 1bc6bea
        - code: 1bc6bea
          used_at: 2021-10-14T07:38:51Z