Account recovery using voice as the side channel - i.e. use an Recovery code created via the Admin API, with a selfservice Recovery FlowID

[quintilation]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

No response

Describe your problem

Some of our customers insist that Ory is used without Email or SMS connections.
We would like to be able to offer a account recovery mechanism using only a reset code passed by voice over a telephone.

Describe your ideal solution

We would like to add a new option to the account recovery process, e.g.

1. request a recovery code by email (already exists)
2. request a recovery code by SMS (already exists)
3. request a recovery code by telephone

If the user selects option 3. then they must telephone a system administrator and prove their identity to them.
The administrator can then use a new Kratos Admin API to generate a recovery code.
This short (6 digit) recovery code can then be used by the user to regain access to their account.

It is important that the recovery code generated via the new Admin API can be used with the user's recovery FlowID, rather than being tied to a FlowID of the administrators session.

Such a recovery code would only be valid for a short period (say 10 mins) and for one user's account.

Workarounds or alternatives

There is an existing admin API to recover access to accounts but this allows the administrator to gain access to a user's account.
This recovery code is only valid when presented with the URL (containing an administrator's FlowID), it cannot be used by a user.
The Administrator can then (I assume) set the password to anything they like, and give this password to the user over the Telephone.

This is not straightforward for us as our admin API is managed by a gateway application rather than a browser interface.
It also feels poor practice asking the administrator to choose a new password and then explain it to the User over a telephone line.

Version

kratos v1.2

Additional Context

I understand this is not an issue for large scale kratos deployments (cloud scale) as email is always available in these situations.

Our customers are TV and Radio broadcasters. They have become extremely cautious about allowing any internet connectivity from their services, incoming or outgoing. This means we have to implement self-hosted ory products and we cannot rely on internet connections for services such as smtp.

[gowri-xflowpay]

2. request a recovery code by SMS (already exists)

I don't think this is working currently. If I set up recovery via SMS, Kratos throws an error.

[github-actions[bot]]

Hello contributors!

I am marking this issue as stale as it has not received any engagement from the community or maintainers for a year. That does not imply that the issue has no merit! If you feel strongly about this issue

• open a PR referencing and resolving the issue;
• leave a comment on it and discuss ideas on how you could contribute towards resolving it;
• leave a comment and describe in detail why this issue is critical for your use case;
• open a new issue with updated details and a plan for resolving the issue.

Throughout its lifetime, Ory has received over 10.000 issues and PRs. To sustain that growth, we need to prioritize and focus on issues that are important to the community. A good indication of importance, and thus priority, is activity on a topic.

Unfortunately, burnout has become a topic of concern amongst open-source projects.

It can lead to severe personal and health issues as well as opening catastrophic attack vectors.

The motivation for this automation is to help prioritize issues in the backlog and not ignore, reject, or belittle anyone.

If this issue was marked as stale erroneously you can exempt it by adding the backlog label, assigning someone, or setting a milestone for it.

Thank you for your understanding and to anyone who participated in the conversation! And as written above, please do participate in the conversation if this topic is important to you!

Thank you 🙏✌️