Hello,
the guys from projectlombok build an example application (see [0]) for ToTP based
multi-factor authentication which showed at the Javaland 2016 conference in Germany last week.
In this app they demoed an interesting security feature:
if a user enters a wrong ToTP code (or a far off one) they require the user to
enter 3 consecutive valid ToTP codes - although I can imagine that this is a bit annoying
for the user it nevertheless could add an additional level of security to the
ToTP authentication mechanism.
They show the following message if a user entered a wrong / far-off ToTP token:
"Due to entering a wrong TOTP confirmation code, you now need to enter 3 consecutive codes
so that we can confirm you're not just guessing codes, and detect issues with your verification device's clock."
Perhaps keycloak could add such a feature as well.
Cheers,
Thomas