Lookup Secrets (Recovery Codes)
Lookup Secrets, also known as Backup Codes or Recovery Codes, can be used to perform 2FA when the user doesn't have access to their selected 2FA method.
Lookup Secrets are:
- server-generated
- valid for a single use
- non-expiring - they become invalid only when the user generates a new set of codes
If you enable Lookup Secrets, users can get a list of codes that they must store securely for future use. This is how it looks in the UI:
note
The example screenshots are captured using the Ory Managed UI.
After the server generates the codes, the user must confirm that they received them. To confirm, the user must have a privileged Session.
If the privileged session expired, the user is prompted to authenticate:
warning
The codes are valid only when the user confirms they received the codes. It is the user's responsibility to generate new secretes before they use all of the available secrets.
Configuration
Follow these steps to enable Lookup Secrets:
Ory Cloud Console
- Sign in to the Ory Cloud Console and go to Two-Factor Authentication.
- In the Lookup Secrets section, use the switch to enable Webauthn.
- Click Save to finish.
Ory CLI
- Get the Identity Service configuration from your project and save it to a file:
## List all available projects
ory list projects
## Get config
ory get identity-config <project-id> --format yaml > identity-config.yaml
- Find
lookup_secretinselfservice/methodsand setenabledtotrue:
lookup_secret:
enabled: true
- Update the Ory Cloud Identity Service configuration using the file you worked with:
ory update identity-config <project-id> --file identity-config.yaml
Self-Hosted Instances
When working with self-hosted instances of the Ory Identity Service (Kratos), add the lookup_secret method to
selfservice/methods in the configuration file:
selfservice:
methods:
lookup_secret:
enabled: true