Disable 2FA and/or Recovery Codes for an Identity via the Identity Admin API

[BrandonNoad]

Preflight checklist

• [X] I could not find a solution in the existing issues, docs, nor discussions.
• [X] I agree to follow this project's Code of Conduct.
• [X] I have read and am following this repository's Contribution Guidelines.
• [X] I have joined the Ory Community Slack.
• [X] I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

No response

Describe your problem

If a user loses access to their 2FA device and does not have any recovery codes, it is difficult for the user to regain access to their account.

Describe your ideal solution

Ideally, there would be an admin API route that we could use to disable 2FA and/or recovery codes for an identity.

Workarounds or alternatives

You can fetch the recovery codes and 2FA setup key using the GET /admin/identities/{id} route if you add an include_credential search param with a value equal to lookup_secret or totp.

So you could fetch these values and securely pass them along to the user, allowing the user to recover and set up 2FA again.

But this workaround is not ideal, and I think it would be better for both parties if we could disable 2FA altogether.

Version

Ory Network

Additional Context

No response

[jonas-jonas]

Doesn't this endpoint solve this issue: https://www.ory.sh/docs/reference/api#tag/identity/operation/deleteIdentityCredentials

I guess disabling != deleting, but it definitely allows the user to log in again.

[BrandonNoad]

@jonas-jonas Yes, that is exactly what I was looking for. Sorry, I did not know that API route existed. Is it new?

[jonas-jonas]

Great! Glad, that solves the issue. It's from sometime early last year, IIRC.

[BrandonNoad]

I'll close this issue. Thanks for the quick response.