Preflight checklist
Ory Network Project
No response
Describe your problem
Some of our customers insist that Ory is used without Email or SMS connections.
We would like to be able to offer a account recovery mechanism using only a reset code passed by voice over a telephone.
Describe your ideal solution
We would like to add a new option to the account recovery process, e.g.
- request a recovery code by email (already exists)
- request a recovery code by SMS (already exists)
- request a recovery code by telephone
If the user selects option 3. then they must telephone a system administrator and prove their identity to them.
The administrator can then use a new Kratos Admin API to generate a recovery code.
This short (6 digit) recovery code can then be used by the user to regain access to their account.
It is important that the recovery code generated via the new Admin API can be used with the user's recovery FlowID, rather than being tied to a FlowID of the administrators session.
Such a recovery code would only be valid for a short period (say 10 mins) and for one user's account.
Workarounds or alternatives
There is an existing admin API to recover access to accounts but this allows the administrator to gain access to a user's account.
This recovery code is only valid when presented with the URL (containing an administrator's FlowID), it cannot be used by a user.
The Administrator can then (I assume) set the password to anything they like, and give this password to the user over the Telephone.
This is not straightforward for us as our admin API is managed by a gateway application rather than a browser interface.
It also feels poor practice asking the administrator to choose a new password and then explain it to the User over a telephone line.
Version
kratos v1.2
Additional Context
I understand this is not an issue for large scale kratos deployments (cloud scale) as email is always available in these situations.
Our customers are TV and Radio broadcasters. They have become extremely cautious about allowing any internet connectivity from their services, incoming or outgoing. This means we have to implement self-hosted ory products and we cannot rely on internet connections for services such as smtp.
Preflight checklist
Ory Network Project
No response
Describe your problem
Some of our customers insist that Ory is used without Email or SMS connections.
We would like to be able to offer a account recovery mechanism using only a reset code passed by voice over a telephone.
Describe your ideal solution
We would like to add a new option to the account recovery process, e.g.
If the user selects option 3. then they must telephone a system administrator and prove their identity to them.
The administrator can then use a new Kratos Admin API to generate a recovery code.
This short (6 digit) recovery code can then be used by the user to regain access to their account.
It is important that the recovery code generated via the new Admin API can be used with the user's recovery FlowID, rather than being tied to a FlowID of the administrators session.
Such a recovery code would only be valid for a short period (say 10 mins) and for one user's account.
Workarounds or alternatives
There is an existing admin API to recover access to accounts but this allows the administrator to gain access to a user's account.
This recovery code is only valid when presented with the URL (containing an administrator's FlowID), it cannot be used by a user.
The Administrator can then (I assume) set the password to anything they like, and give this password to the user over the Telephone.
This is not straightforward for us as our admin API is managed by a gateway application rather than a browser interface.
It also feels poor practice asking the administrator to choose a new password and then explain it to the User over a telephone line.
Version
kratos v1.2
Additional Context
I understand this is not an issue for large scale kratos deployments (cloud scale) as email is always available in these situations.
Our customers are TV and Radio broadcasters. They have become extremely cautious about allowing any internet connectivity from their services, incoming or outgoing. This means we have to implement self-hosted ory products and we cannot rely on internet connections for services such as smtp.