Backup Recovery Codes without any 2FA Method enabled

[markusheinemann]

Hello,

I've been playing around with Ory Kratos for some time now. I noticed that it is possible to have backup recovery codes as the only second factor. Here is an example, how I went into this situation:

1. Create a new identity and open the settings page
2. Configure TOTP as second factor for that identity
3. Configure Backup Recovery Codes for that identity
4. Remove the TOTP

After I logged in again, I was asked straight for the backup recovery code as second factor. Unfortunately, I didn't write the backup codes down and locked myself out. Thankfully, this only happened on my local Kratos environment.

After giving it some thought, I'm not sure if it is a expected behavior to have only the Backup Codes as second factor. I would expect one of these two things:

1. An error when trying to remove TOTP (or the last second factor) and backup recovery codes are still enabled.
2. The backup recovery codes will be disabled automatically as soon as the "last" second factor is removed.

In the docs I found this section:

Lookup Secrets, also known as Backup Codes or Recovery Codes, are a 2FA fail-safe mechanism, rather than a standalone two-factor authentication method.
from https://www.ory.sh/docs/kratos/mfa/lookup-secrets

Before I'm raising an Issue I want to discuss if the current behavior is expected or not. What do you think?