ory
Using highest_available AAL does not work with SMS based 2FA
Preflight checklist
- [X] I could not find a solution in the existing issues, docs, nor discussions.
- [X] I agree to follow this project's Code of Conduct.
- [X] I have read and am following this repository's Contribution Guidelines.
- [X] I have joined the Ory Community Slack.
- [X] I am signed up to the Ory Security Patch Newsletter.
Ory Network Project
No response
Describe the bug
Kratos does not enforce aal2 for flows configured for highest_available AAL when using SMS based 2FA.
When using other 2FA methods, Kratos will require AAL2 if 2FA is configured on the identity. For example, setting whoami to highest available:
whoami:
required_aal: highest_available
An identity that has TOTP based 2FA configured will not be able to access whoami without an AAL2 session. A call to whoami will redirect the client to a new aal2 login flow, eg:
{
"error": {
"id": "session_aal2_required",
"code": 403,
"status": "Forbidden",
"reason": "An active session was found but it does not fulfill the requested Authenticator Assurance Level. Please verify yourself with a second factor to resolve this issue.",
"details": {
"redirect_browser_to": "http://127.0.0.1:4433/self-service/login/browser?aal=aal2"
},
"message": "Session does not fulfill the requested Authenticator Assurance Level"
}
}
However, this enforcement of AAL2 does not happen when using SMS based 2FA. whoami responds with a 200 when a session is aal1, even though the identity has a verified phone number and Kratos is configured to use SMS for 2FA.
Reproducing the bug
- Configure identity schema with a phone number to be used for 2FA
"phone": {
"title": "Mobile Number",
"type": "string",
"format": "tel",
"ory.sh/kratos": {
"credentials": {
"password": {
"identifier": true
}
},
"verification": {
"via": "sms"
}
}
- Configure Kratos for SMS based 2FA (relevant sections of Kratos.yml shown)
session:
whoami:
required_aal: highest_available
methods:
code:
enabled: true
mfa_enabled: true
courier:
(omitted, but configured to send SMS)
- Log in through Kratos.
- In a settings flow, add the user's phone number
- Complete the verification process
- Log out
- Log in with email/password
- Call whoami
I would expect that, given the user has a valid 2FA method on their account, that the call to whoami would fail, as the highest_available AAL should be AAL2. However, Kratos works as if the user only has AAL1.
Other flows like settings behave in the same way. It is possible to change a password, generate recovery codes, etc. all at AAL1, which defeats the purpose of configuring SMS based 2FA. This also does not match how Kratos works with other 2FA methods.
Relevant log output
No response
Relevant configuration
No response
Version
1.1.0
On which operating system are you observing this issue?
macOS
In which environment are you deploying?
Docker
Additional Context
No response
Yes, that is a known limitation of the current implementation. We didn't consider SMS a full MFA method (due to the nature of SMS, and other factors), so the current implementation is more of a workaround to achieve an AAL2 session, rather than a drop-in replacement/full alternative for the other MFA methods.
However, I agree that this leaves room for improvement here, and contributions are welcome.
Hello, I would like to know if any improvements are planned regarding this functionality. From what I understand (but I might be mistaken) of the current design, the SMS 2FA relies on the code workflow and thus allows upgrading the session from AAL1 to AAL2, but it does not set the highest_available level to AAL2 for the account. Are there any drafts or ongoing work on this issue? I would be happy to contribute to this improvement if needed.
We are actively working on improving htis. No timelines on the open source release though.
