We plan to introduce support to have more than one second factor mechanism
associated with an account . This will allow having a primary device as
well as the option to select a backup device.
With the addition of different types of second factor mechanisms like SMS
 or backup codes users have a way to authenticate with alternative
Once this is added there is strictly no need to enable reset OTP via email
and users should have backup mechanisms configured and/or contact admins.
On 10 January 2017 at 06:45, Dumitru Sbenghe <dsbenghe(a)gmail.com> wrote:
Correct me if I'm wrong but as far as I see the the only way to reset your
OTP is part of the reset password via email - optional feature (or disable
otp for that user in the admin ui) which seems to make the OTP usage as 2sv
heaps less secure than it should be considering that it can be reset
together with the password via email.
>From reading the docs to make a reset OTP via sms for example, an
authentication spi needs to be implemented, isnt it? Any plans to implement
a more secure otp reset as standard feature in KeyCloak?
keycloak-user mailing list