Account recovery using voice as the side channel - i.e. use an Recovery code created via the Admin API, with a selfservice Recovery FlowID

[quintilation]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

No response

Describe your problem

Some of our customers insist that Ory is used without Email or SMS connections.
We would like to be able to offer a account recovery mechanism using only a reset code passed by voice over a telephone.

Describe your ideal solution

We would like to add a new option to the account recovery process, e.g.

1. request a recovery code by email (already exists)
2. request a recovery code by SMS (already exists)
3. request a recovery code by telephone

If the user selects option 3. then they must telephone a system administrator and prove their identity to them.
The administrator can then use a new Kratos Admin API to generate a recovery code.
This short (6 digit) recovery code can then be used by the user to regain access to their account.

It is important that the recovery code generated via the new Admin API can be used with the user's recovery FlowID, rather than being tied to a FlowID of the administrators session.

Such a recovery code would only be valid for a short period (say 10 mins) and for one user's account.

Workarounds or alternatives

There is an existing admin API to recover access to accounts but this allows the administrator to gain access to a user's account.
This recovery code is only valid when presented with the URL (containing an administrator's FlowID), it cannot be used by a user.
The Administrator can then (I assume) set the password to anything they like, and give this password to the user over the Telephone.

This is not straightforward for us as our admin API is managed by a gateway application rather than a browser interface.
It also feels poor practice asking the administrator to choose a new password and then explain it to the User over a telephone line.

Version

kratos v1.2

Additional Context

I understand this is not an issue for large scale kratos deployments (cloud scale) as email is always available in these situations.

Our customers are TV and Radio broadcasters. They have become extremely cautious about allowing any internet connectivity from their services, incoming or outgoing. This means we have to implement self-hosted ory products and we cannot rely on internet connections for services such as smtp.