Credentials
Each identity has one or more credentials associated with it:
credentials:
password:
id: password
identifiers:
- john.doe@acme.com
- johnd@ory.sh
config:
hashed_password: ...
oidc:
id: oidc
identifiers:
- google:j8kf7a3...
- facebook:83475891...
config:
- provider: google
identifier: j8kf7a3
- provider: facebook
identifier: 83475891
Ory Kratos supports several credential types:
password: The most common identifier (username, email, ...) + password credential.passkey: Passkeys use WebAuthn standards for secure, user-friendly, and cryptographic passwordless authentication.code: The "Log in via email or SMS" credential using a one-time code.oidc: The "Log in with Google/Facebook/GitHub/..." credential using OpenID Connect.saml: A standard for exchanging auth data between parties, often used for B2B SSO.webauthn: The same technology as Passkeys used as a second factor.totp: Time-based one-time passwords generated by authenticator apps, used as a second factor.lookup_secret: One-time codes used as a recovery mechanism for 2FA when the primary second factor is unavailable.
Each credential - regardless of its type - has one or more identifiers attached to it. Each identifier is universally unique. Assuming we had one identity with credentials
credentials:
password:
id: password
identifiers:
- john.doe@acme.com
and tried to create (or update) another identity with the same identifier (john.doe@acme.com), the system would reject the
request with a 409 Conflict state.
While credentials must be unique per type, there can be duplicates amongst multiple types:
# This is ok:
credentials:
password:
id: password
identifiers:
- john.doe@acme.com
oidc:
id: oidc
identifiers:
- john.doe@acme.com
The same would apply if those were two separate identities:
# Identity 1
credentials:
password:
id: password
identifiers:
- john.doe@acme.com
---
# Identity 2
credentials:
oidc:
id: oidc
identifiers:
- john.doe@acme.com