kratos Passwordless email flows

Preflight checklist

[X] I could not find a solution in the existing issues, docs, nor discussions.
[X] I agree to follow this project's Code of Conduct.
[X] I have read and am following this repository's Contribution Guidelines.
[ ] This issue affects my Ory Cloud project.
[ ] I have joined the Ory Community Slack.
[ ] I am signed up to the Ory Security Patch Newsletter.

Describe your problem

We'd like to fall back to email authentication in situations where users do not want to set up TOTP MFA.

Describe your ideal solution

Ideal solution would be a code emailed to a user to avoid the issue described in https://github.com/ory/kratos/issues/1451.

Workarounds or alternatives

As far as I can tell, there's no workaround.

Version

0.8

Additional Context

No response

Dec 07 '21 10:12 pradyuman

If I reset my password using the recovery flow, which sends an email to my inbox that contains a link to change the password, wouldn't that completely bypass the "multi" in multi-factor authentication?

Dec 07 '21 14:12 aeneasr

Calling this MFA was the wrong way to put it, but my goal is to not rely on password authentication if they haven't set up TOTP to protect against accidental password leaks / brute forcing.

Since Kratos doesn't have a passwordless authentication system today, my solution would be to require email verification on every login as part of the MFA system that was recently built, but I'm open to other suggestions.

In an ideal world everyone would just use TOTP. Unfortunately, not everyone understands how that works so we can't require it.

Dec 10 '21 14:12 pradyuman

I see, so you want passwordless authentication with email? That makes sense! I thought we had this tracked already, but apparently we do not yet have a dedicated issue for it.

Dec 10 '21 15:12 aeneasr

Yep, pretty much. Happy for this issue to be the one that tracks the "email" login strategy.

Dec 10 '21 15:12 pradyuman

Have there been any further updates on this? To our case it's a critical one, and we'd love to adopt.

Jul 21 '22 14:07 vilkinsons

We're also eager for this feature and would greatly appreciate any horizon that can be given. Would it be appropriate for the 1.0 milestone?

Aug 10 '22 13:08 kasbuunk

It seems that this feature is similar to https://github.com/ory/kratos/pull/2033.

Dec 04 '22 01:12 CNLHC

It seems that this feature is similar to https://github.com/ory/kratos/pull/2033.

Yes, they're related!

We're also eager for this feature and would greatly appreciate any horizon that can be given. Would it be appropriate for the 1.0 milestone?

It's definitely high up on our priority list. I can't give a definite estimate but aim to ship it in the coming months.

Jan 13 '23 15:01 kmherrmann