Using highest_available AAL does not work with SMS based 2FA
MichaelMarner opened this issue · comments
Preflight checklist
- I could not find a solution in the existing issues, docs, nor discussions.
- I agree to follow this project's Code of Conduct.
- I have read and am following this repository's Contribution Guidelines.
- I have joined the Ory Community Slack.
- I am signed up to the Ory Security Patch Newsletter.
Ory Network Project
No response
Describe the bug
Kratos does not enforce aal2
for flows configured for highest_available
AAL when using SMS based 2FA.
When using other 2FA methods, Kratos will require AAL2 if 2FA is configured on the identity. For example, setting whoami
to highest available:
whoami:
required_aal: highest_available
An identity that has TOTP based 2FA configured will not be able to access whoami
without an AAL2 session. A call to whoami will redirect the client to a new aal2 login flow, eg:
{
"error": {
"id": "session_aal2_required",
"code": 403,
"status": "Forbidden",
"reason": "An active session was found but it does not fulfill the requested Authenticator Assurance Level. Please verify yourself with a second factor to resolve this issue.",
"details": {
"redirect_browser_to": "http://127.0.0.1:4433/self-service/login/browser?aal=aal2"
},
"message": "Session does not fulfill the requested Authenticator Assurance Level"
}
}
However, this enforcement of AAL2 does not happen when using SMS based 2FA. whoami responds with a 200 when a session is aal1
, even though the identity has a verified phone number and Kratos is configured to use SMS for 2FA.
Reproducing the bug
- Configure identity schema with a phone number to be used for 2FA
"phone": {
"title": "Mobile Number",
"type": "string",
"format": "tel",
"ory.sh/kratos": {
"credentials": {
"password": {
"identifier": true
}
},
"verification": {
"via": "sms"
}
}
- Configure Kratos for SMS based 2FA (relevant sections of Kratos.yml shown)
session:
whoami:
required_aal: highest_available
methods:
code:
enabled: true
mfa_enabled: true
courier:
(omitted, but configured to send SMS)
- Log in through Kratos.
- In a settings flow, add the user's phone number
- Complete the verification process
- Log out
- Log in with email/password
- Call whoami
I would expect that, given the user has a valid 2FA method on their account, that the call to whoami would fail, as the highest_available
AAL should be AAL2. However, Kratos works as if the user only has AAL1.
Other flows like settings behave in the same way. It is possible to change a password, generate recovery codes, etc. all at AAL1, which defeats the purpose of configuring SMS based 2FA. This also does not match how Kratos works with other 2FA methods.
Relevant log output
No response
Relevant configuration
No response
Version
1.1.0
On which operating system are you observing this issue?
macOS
In which environment are you deploying?
Docker
Additional Context
No response