Giters

ory / kratos

Next-gen identity server replacing your Auth0, Okta, Firebase with hardened security and PassKeys, SMS, OIDC, Social Sign In, MFA, FIDO, TOTP and OTP, WebAuthn, passwordless and much more. Golang, headless, API-first. Available as a worry-free SaaS with the fairest pricing on the market!

Home Page:https://www.ory.sh/kratos/?utm_source=github&utm_medium=banner&utm_campaign=kratos

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Using highest_available AAL does not work with SMS based 2FA

MichaelMarner opened this issue · comments

commented

Preflight checklist

Ory Network Project

No response

Describe the bug

Kratos does not enforce aal2 for flows configured for highest_available AAL when using SMS based 2FA.

When using other 2FA methods, Kratos will require AAL2 if 2FA is configured on the identity. For example, setting whoami to highest available:

  whoami:
    required_aal: highest_available

An identity that has TOTP based 2FA configured will not be able to access whoami without an AAL2 session. A call to whoami will redirect the client to a new aal2 login flow, eg:

{
    "error": {
        "id": "session_aal2_required",
        "code": 403,
        "status": "Forbidden",
        "reason": "An active session was found but it does not fulfill the requested Authenticator Assurance Level. Please verify yourself with a second factor to resolve this issue.",
        "details": {
            "redirect_browser_to": "http://127.0.0.1:4433/self-service/login/browser?aal=aal2"
        },
        "message": "Session does not fulfill the requested Authenticator Assurance Level"
    }
}

However, this enforcement of AAL2 does not happen when using SMS based 2FA. whoami responds with a 200 when a session is aal1, even though the identity has a verified phone number and Kratos is configured to use SMS for 2FA.

Reproducing the bug

  1. Configure identity schema with a phone number to be used for 2FA
       "phone": {
          "title": "Mobile Number",
          "type": "string",
          "format": "tel",
          "ory.sh/kratos": {
            "credentials": {
              "password": {
                "identifier": true
              }
            },
            "verification": {
              "via": "sms"
            }
          }
  1. Configure Kratos for SMS based 2FA (relevant sections of Kratos.yml shown)
session:
  whoami:
    required_aal: highest_available

methods:
    code:
      enabled: true
      mfa_enabled: true

courier:
  (omitted, but configured to send SMS)
  1. Log in through Kratos.
  2. In a settings flow, add the user's phone number
  3. Complete the verification process
  4. Log out
  5. Log in with email/password
  6. Call whoami

I would expect that, given the user has a valid 2FA method on their account, that the call to whoami would fail, as the highest_available AAL should be AAL2. However, Kratos works as if the user only has AAL1.

Other flows like settings behave in the same way. It is possible to change a password, generate recovery codes, etc. all at AAL1, which defeats the purpose of configuring SMS based 2FA. This also does not match how Kratos works with other 2FA methods.

Relevant log output

No response

Relevant configuration

No response

Version

1.1.0

On which operating system are you observing this issue?

macOS

In which environment are you deploying?

Docker

Additional Context

No response