Lookup secrets as a backup recovery codes

[harnash]

Note: I'm using v0.10.1 as a point of reference.

I would like to ask if there would be a way to treat lookup secrets as a backup recovery codes? Right now they are treated as another 2FA authorization method which is quite confusing for the users.

Currently users can enable lookup secrets whenever they want even when other 2FA authorization method was not enabled (TOTP). This is bit misleading since other implementation treats backup recovery codes as a, well, backup method of authentication used to recover account when user lost their primary MFA device. This leads to a situation when user disables TOTP authentication with intention of disabling MFA altogether but leaves lookup secrets and lands still with MFA enabled.

We can play with improving this on a frontend side but this is not really proper place to deal with this and not ideal - we still have to somehow disable lookup secrets after user disables TOTP.

Is this option of allowing to use lookup secrets only when other MFA authentication method is enabled planned/considered for the future releases? I'm not implying who should do it or when.

[aeneasr]

Yeah, that makes sense IMO.

[harnash]

You a referrinig to a situation when lookup codes are not enabled in the Kratos configuration? In that case this setting would be ineffective and will do nothing when user enables 2FA. It may be even strictly bound to lookup secrets and will require it to be enabled.

[aeneasr]

Ok, that makes sense. And what of the case where recovery codes are the only option? Then we would have the same behavior as today I assume?

[harnash]

I did some initial implementation for our needs and I have few observations:

1. Putting this feature setting inside lookup_secrets strategy config seems like a good idea at first but requires additional hook to properly cleanup those codes when user disable 2FA
2. This feature introduces some dependency between strategies (totp and lookup_secrets) and it is a bit hacky to implement this properly without breaking current user flows (this mostly applies to some edge cases when user has disabled 2FA and has lookup_secrets credentials still in the DB - this could happen when this feature is being enabled and user still have lookup_secrets enabled).
3. Having hook and strategy config as a method of enabling this feature is not intuitive and it is error prone. I would rather keep only a config setting and not rely on administrator to know how to setup it correctly.

I'm thinking right now to move this setting somewhere to a commonly accessible key in the config so it is not under strategy config and all strategies can actually fetch this setting easily (there might be more MFA strategies in the future so it should be easier to implement new strategies).

If someone is interested how it is currently implemented I have a PoC right here https://github.com/Wikia/kratos/pull/88/files.
I will probably treat this as a PoC and will work on separate implementation that should be more straightforward and fit into Kratos better.

[LowLevelSubmarine]

I was just looking for a way to disable recovery codes together with totp, as i've just locked myself out of my account unknowingly while testing. Has there been any progress on this feature request?

[vinckr]

Hello @LowLevelSubmarine

AFAICT no progress so far. I guess this issue is somewhat related: #2656 ?

If not maybe it would help to create a specific feature request for this, so its present on the backlog.