Hello,

the guys from projectlombok build an example application (see [0]) for ToTP based 

multi-factor authentication which showed at the Javaland 2016 conference in Germany last week.

In this app they demoed an interesting security feature: 

if a user enters a wrong ToTP code (or a far off one) they require the user to 

enter 3 consecutive valid ToTP codes - although I can imagine that this is a bit annoying 

for the user it nevertheless could add an additional level of security to the 

ToTP authentication mechanism.

They show the following message if a user entered a wrong / far-off ToTP token:

"Due to entering a wrong TOTP confirmation code, you now need to enter 3 consecutive codes

so that we can confirm you're not just guessing codes, and detect issues with your verification device's clock."

Perhaps keycloak could add such a feature as well.

Cheers,

Thomas

[0] - https://github.com/rzwitserloot/totp-example