Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

No response

Describe the bug

I'm running into a problem where I'm unable to completely remove a phone number from a user's identity.

We have SMS MFA enabled, and when a phone trait is added to an identity, it creates a new credential of type code, with the phone number as the identifier. I believe this is working as expected.

However, I'm unable to completely detach that phone number from the user's account.

I've got a standard email + password setup, with a phone trait like this:

"phone": {
          "type": "string",
          "format": "tel",
          "title": "Phone Number",
          "ory.sh/kratos": {
            "credentials": {
              "code": {
                "identifier": true,
                "via": "sms"
              }
            }
          },
          "maxLength": 320
        }

Reproducing the bug

Patch remove of /traits/phone. Trait is removed, credential/code remains.

Update identity, excluding /traits/phone. Trait is removed, credential/code remains.

DELETE /admin/identities/:identityID/credentials/code. 400 You cannot remove first factor credentials

Relevant log output

Relevant configuration

{
  "$id": "https://schemas.ory.sh/presets/kratos/identity.email.schema.json",
  "$schema": "http://json-schema.org/draft-07/schema#",
  "title": "Person",
  "type": "object",
  "properties": {
    "traits": {
      "type": "object",
      "properties": {
        "email": {
          "type": "string",
          "format": "email",
          "title": "E-Mail",
          "ory.sh/kratos": {
            "credentials": {
              "password": {
                "identifier": true
              }
            },
            "recovery": {
              "via": "email"
            },
            "verification": {
              "via": "email"
            }
          },
          "maxLength": 320
        },
        "phone": {
          "type": "string",
          "format": "tel",
          "title": "Phone Number",
          "ory.sh/kratos": {
            "credentials": {
              "code": {
                "identifier": true,
                "via": "sms"
              }
            }
          },
          "maxLength": 320
        }
      },
      "required": ["email"],
      "additionalProperties": false
    }
  }
}

Version

1.3.1

On which operating system are you observing this issue?

None

In which environment are you deploying?

None

Additional Context

Is there some other method in which I should be deleting these code credentials?