[keycloak-user] move the authenticator setup from the user profile to the administration

Antoine Delaunay antoine.delaunay at BE.Zetes.com
Fri Aug 25 06:01:38 EDT 2017


Hello,

How to prevent an intruder, once knowing the user password, resetting the user's authenticator secret and capture the new value? It seems allowing this negates the added value of the 2FA system. 

Is my understanding of the system incorrect?

If not I could go for a solution where once the authenticator is setup it cannot be deleted without an admin action. 
I could also envision the 2FA setup to be a face-to-face operation involving the user going over to the admin desk with his phone.

I thought I would ask here before hacking away at the source code.

Sincerely,
-- 
Antoine Delaunay


More information about the keycloak-user mailing list