[keycloak-user] Requiring 2FA?

[Max Allan]

>
> I have done some digging and if admin sends out a password reset, it works
as I expect, the user resets their password and then prompted to return to
the login page, and they login normally.
IF they use the self service reset function they reset their password and
are logged in to the application, without TOTP prompt.

> I looked at the JWT in the reset email and can see that it says
"reset-credentials" on self reset and "execute-actions" on a managed reset.
So, I looked at the "Reset Credentials" flow. Added the OTP form.
With OTP form added, the user is requested to enter their OTP when they
click the link. And the button says "Log In".

> I can see this causing major confusion in the user community. "Log In? But
I've not reset my password yet. Help, what do I do, is there a security
breach that it lets me login without a password??"

> The OTP form is first in the flow regardless of position in the "Copy of
Reset Credentials" flow. I can see the logic behind requiring TOTP before
resetting the password, it does validate that the user is who they claim to
be, however, "Login" will cause confusion

> Raised : https://issues.jboss.org/browse/KEYCLOAK-9648 to cover it.

> Max
On Fri, 22 Feb 2019 at 16:03, Max Allan <max.allan+keycloak at surevine.com>
wrote:
>
> Hello,
>> I have a client app, and have enabled 2FA (totp) as a required step in
>> it's browser auth flow.
>>
>> What we find is that some new users have been able to get the "reset your
>> password" link, reset their password and somehow access the client WITHOUT
>> 2FA.
>> Most reset their password and are then prompted to setup TOTP 2FA.
>>
>>