Ory Kratos v25.4.0 enhances passwordless, Passkeys, and performance

We’re thrilled to announce Ory Kratos v25.4.0, the latest open source release of our identity and user management system.

This version brings passwordless authentication via SMS, expanded passkey and WebAuthn support, new OIDC features, extended event emission for observability, and significant database and API optimizations.

The latest Kratos open source also lays the groundwork for compatibility with Ory Elements v1.0, introducing refinements to self-service flows that make integrations smoother than ever. You will notice stronger migration tooling, improved performance at scale, and more robust hooks.

ICYMI: Earlier this week we introduced the latest open source version of Ory Hydra and our new versioning scheme to make upgrades more predictable.

Passwordless by design

With this release, Kratos now supports passwordless login and registration via SMS. We built this feature for emerging market customers where login with SMS is very common.

Security note: SMS login improves accessibility for users without smartphones or access to e-mail, but it is a low-assurance authentication channel. Phone numbers are weakly bound to the user and are vulnerable to SIM-swaps, interception, and number recycling. It’s useful for reach, but it should not be treated as a high-security factor.

Recovery flows have also been updated. Recovery codes can be delivered via SMS as well as any and multiple email address types. A new “resend” node after registration ensures smoother verification experiences.

This brings SMS authentication to parity with email-based flows and makes it more usable in mobile-first applications and low-friction onboarding journeys.

Expanding Passkey and credential support

Passkeys continue to gain adoption industry-wide as the most user-friendly and phishing-resistant form of authentication. In v25.4.0, Kratos adds support for Android WebAuthn origins, enabling secure passkey login and registration flows on Android devices alongside desktop browsers.

Developers can now rely on the new oryWebAuthnInitialized event in the browser, which signals when WebAuthn is ready.

Reliability is also improved due to more graceful handling of password rehashing during login and better retry behavior for conditional passkeys.

Enhanced OIDC and SAML integrations

Kratos continues to strengthen its OIDC interoperability layer. This release includes:

• Support for the Line v2.1 OIDC provider.
• More stable identifiers for Microsoft OIDC (oid now replaces sub).
• Caching of OIDC providers to cut down on discovery endpoint calls.
• New policy callbacks and registry extension points for greater control when linking OIDC credentials.

Better user journeys

User flows have been improved across the board. If an identity requires verification, Kratos now automatically starts the flow.

Native login and registration flows also now handle alreadyAuthenticated states more gracefully, ensuring that authenticated users are guided forward rather than blocked or asked to restart.

The Admin API also gains the ability to remove password credentials (when they are not the last factor), making credential lifecycle management cleaner and safer.

Improved visibility through events

Kratos now surfaces more lifecycle context through events, giving operators deeper insight into how authentication flows behave in production. New LoginStarted and RegistrationStarted events make it easier to trace where a user is in the process, while courier delivery events (CourierMessageAbandoned and CourierMessageDispatched) provide transparency into message handling outcomes.

Events are also emitted when Jsonnet mappings fail — for example, if claims transformation or JWT templating encounters an issue. This turns what were previously silent misconfigurations into observable signals. These richer payloads flow through existing hooks and tracing systems, meaning debugging becomes faster without changing deployment configurations.

The result is a more introspectable identity layer that behaves like the other modern infrastructure components teams are already monitoring.

Performance and operational wins

This release also includes performance work aimed at making Kratos more responsive and easier to run in production. Lookups across identities, sessions, and self-service flows have been tightened and streamlined, reducing overhead and improving request responsiveness without configuration changes.

Operations and tooling have gotten smoother as well. The new kratos migrate sql up|down|status commands replace the older migration interface with a clearer and more intuitive workflow. HTML email support in the courier lets teams send richer messages out of the box, and identities can now include external IDs through the API and webhooks, making it easier to sync users across multiple systems. A new JWT tokenization endpoint further simplifies interoperability for downstream services.

The result is a release that not only brings new features but also lowers friction for operators running Kratos themselves — faster to manage, easier to integrate, and more predictable to maintain over time.

Get started

With Ory Kratos v25.4, passwordless authentication, passkeys, and enterprise integrations take a leap forward. This release is designed to inspire developers and operators to build secure, seamless identity experiences—and to make upgrading worthwhile.

• Download Ory Kratos v25.4.0 from GitHub or pull the official Docker image to start building today.

New releases coming this week

Stay tuned as we announce new OSS versions of Keto and Oathkeeper tomorrow. Each release will follow the new versioning format with clear upgrade documentation.

Join us for a live walkthrough on Thursday, November 13th where we'll dive into the updates made to the Ory stack, demonstrate the new versioning, and answer your questions about the newly released OSS features and upgrade.

• Register now to secure your spot.

Why Ory Enterprise License matters

Open source releases give you powerful identity infrastructure. However, mission-critical production environments often need continuous security patches, enterprise features that support compliance requirements, and updates that keep pace with your infrastructure demands.

Ory Enterprise License (OEL) for Ory Kratos adds everything needed for enterprise-grade B2B SSO such as SAML, SCIM, organization-level SSO, domain-based routing, and a self-service onboarding portal so your customers can quickly and easily connect their IdP.

For teams running identity infrastructure that needs to stay secure, compliant, and performant at scale, OEL delivers the update cadence and enterprise capabilities that production environments require.

Evaluating Ory for web-scale production? Learn more about OEL.

Questions about the new versioning? Join us in Ory Community Slack or GitHub Discussions.