Re: [keycloak-user] password reset and OTP
Go to the "Authentication" left menu item. Go to "flows" tab. Select
"Reset Credentials" flow. Put Reset OTP to "disabled". Then hijacked
email won't reset OTP.
You can copy and expand this flow with your own validation. I.e. you
could ask "mother's maiden name" or other questions.
On 3/21/17 11:52 AM, Bas Passon wrote:
Hey Guys,
I have a question about the password reset in combination with OTP. I have password reset
enabled and OTP reset disabled. I noticed it is possible to to remove a users OTP from his
account if you are able to hijack an email account. On the login page of the user account
page you can click password reset. An email arrives with a link to reset the password.
After resetting the password you are directly logged in to the users account. N No OTP
code needed. There you can simple remove OTP. Is there a way to prevent this from
happening? Have I got some configuration error?
The Keycloak version in use is 2.5.4.Final.
Kind Regards,
Bas Passon