"Lost MFA device" flow?

[kszafran]

Hello! I have been looking into how TOTP and recovery codes work in Kratos. I was able to configure them for my user and then log in with AAL2 using TOTP. However, I couldn't figure out how to recover the account if my device with the TOTP authenticator is lost.

link is the only method returned by

curl -v -H'Accept: application/json' 'http://127.0.0.1:4433/self-service/recovery/api' | jq

If I go through the flow and then curl the link I get in the email, I get redirected to settings, which then return an error because I'm only on AAL1. If I call http://127.0.0.1:4433/self-service/login/api?aal=aal2 to upgrade to AAL2, the only method presented is totp (which I don't have access to if I lost the device).

I can't find more information in the documentation. What is the correct way to recover account access using recovery codes when the MFA device is lost?

Edit: I tried two more approaches, but without success:

1. I logged in with my password and then called http://127.0.0.1:4433/self-service/login/api?aal=aal2 thinking I'll maybe get an option to provide a recovery code. But nope, I only get the totp method.
2. I tried calling http://127.0.0.1:4433/self-service/recovery/api' with a session token after either following the recovery link or logging in with my password. In both cases I get an error: A valid session was detected and thus recovery is not possible.

[aeneasr]

You need backup recovery codes :) They are called lookup_secret

[kszafran]

If I login with AAL2 and go to settings, I can see:

      {
        "type": "input",
        "group": "lookup_secret",
        "attributes": {
          "name": "lookup_secret_regenerate",
          "type": "submit",
          "value": "true",
          "disabled": false,
          "node_type": "input"
        },
        "messages": [],
        "meta": {
          "label": {
            "id": 1050008,
            "text": "Generate new backup recovery codes",
            "type": "info"
          }
        }
      },

since I have generated them once already.

Or are you perhaps referring to the identity schema? Do I need to add something there?

[kszafran]

I'm debugging now and in the preLoginHook: section LoginStrategies do include lookup.Strategy, but the identity does not have lookup_secret credential. I wonder what I'm missing if I have already generated the recovery codes (as demonstrated in the response in my previous commit).

[kszafran]

OK, I see now that I apparently need to confirm the recovery codes (lookup_secret_confirm=true), which I haven't done before... Let me try again.

[kszafran]

And now it worked! Thanks for pointing me in the right direction.

It was somewhat surprising that I need to confirm the recovery codes. My experience as a user on various websites has been that you're normally presented with the codes and you don't need to click anything to confirm. What's the rationale behind that? Is it to make sure that the codes were successfully delivered to the user and not e.g. lost somewhere on the way? Should the frontend application confirm recovery codes automatically or is it intended to be a user action (like clicking a button)?

[aeneasr]

Exactly, they will be new codes the next time the user loads the screen, which is why they need to be confirmed