Skip to content

docs: add email as authentication method #2397

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
elfkuzco wants to merge 2 commits into
base: master
Choose a base branch
from
Open

docs: add email as authentication method #2397

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
59a2427
docs: add email as authentication method
elfkuzco Dec 17, 2025
4f0e538
style: fix formatting issues
elfkuzco Dec 17, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 16 additions & 7 deletions docs/kratos/mfa/01_overview.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,11 @@ authentication method. They can be used to complete the second factor when users
SMS for MFA sends a one-time password to the user's registered mobile phone number via text message. Read the
[Code via SMS](../../../docs/kratos/mfa/mfa-via-sms) documentation to learn more.

### Email

Email for MFA sends a one-time code to the user's registered email address. Read the
[Code via Email](../../../docs/kratos/mfa/mfa-via-sms) documentation to learn more.

## Terminology

Learn more about the terms and concepts used when talking about 2FA in Ory.
Expand All @@ -59,6 +64,7 @@ The Authentication Method Reference (AMR) is an array of authentication methods
The following methods can be present in a session:

- `password` - When the user authenticated with their password.
- `code` - When the user authenticated by code sent via email address.
- `oidc`- When the user authenticated by signing in with a social sign-in provider.
- `totp`- When the user authenticated by entering a time-based one-time password.
- `webauthn` - When the user authenticated through a WebAuthn channel, such as OS-level biometric authentication or a hardware
Expand Down Expand Up @@ -120,16 +126,19 @@ The Authenticator Assurance Level (AAL) indicates how many authentication factor

Authentication methods are classified into factors:

| Authentication method | Factor |
| :-------------------- | :----- |
| `password` | first |
| `oidc` | first |
| `totp` | second |
| `webauthn` | second |
| `lookup_secret` | second |
| Authentication method | Factor |
| :-------------------- | :----------- |
| `password` | first |
| `oidc` | first |
| `code` | first/second |
| `totp` | second |
| `webauthn` | second |
| `lookup_secret` | second |

:::info

You can use `code` as first or second factor but not both at the same time.

When you enable [passwordless authentication with WebAuthn or Passkeys](../passwordless/05_passkeys.mdx), it isn't considered as a
second authentication factor.

Expand Down
Loading