Olympus Docs
ReferenceMFA methods

Email/SMS code

Code sent to a verified channel (email or phone) and entered.

One-time code via email or SMS

Spec:

Provides AAL: Variable, often considered weaker than AAL2

Summary

Code sent to a verified channel (email or phone) and entered.

Strengths

  • No app required
  • Familiar UX

Weaknesses

  • SIM swap (SMS)
  • Email compromise gives access
  • Latency

Enrollment

Implicit, the verified email/phone IS the channel.

Recovery

User regains channel access via separate channel.

Olympus specifics

Olympus's default doesn't include SMS (no SMS provider configured). Email-code is available via the recovery flow but typically not for ongoing MFA.

Backup codes

Pre-generated one-time codes the user prints/saves. Each can be used exactly once.

Step-up auth

User starts AAL1; for sensitive operations, Kratos requires AAL2 escalation before allowing.

On this page

One-time code via email or SMSSummaryStrengthsWeaknessesEnrollmentRecoveryOlympus specificsRelated