[keycloak-user] Reset OTP
Stian Thorgersen
sthorger at redhat.com
Tue Jan 10 03:17:56 EST 2017
We plan to introduce support to have more than one second factor mechanism
associated with an account [1]. This will allow having a primary device as
well as the option to select a backup device.
With the addition of different types of second factor mechanisms like SMS
[2] or backup codes users have a way to authenticate with alternative
mechanisms.
Once this is added there is strictly no need to enable reset OTP via email
and users should have backup mechanisms configured and/or contact admins.
[1] https://issues.jboss.org/browse/KEYCLOAK-1522
[2] https://issues.jboss.org/browse/KEYCLOAK-241
On 10 January 2017 at 06:45, Dumitru Sbenghe <dsbenghe at gmail.com> wrote:
> Hi,
>
> Correct me if I'm wrong but as far as I see the the only way to reset your
> OTP is part of the reset password via email - optional feature (or disable
> otp for that user in the admin ui) which seems to make the OTP usage as 2sv
> heaps less secure than it should be considering that it can be reset
> together with the password via email.
>
> >From reading the docs to make a reset OTP via sms for example, an
> authentication spi needs to be implemented, isnt it? Any plans to implement
> a more secure otp reset as standard feature in KeyCloak?
>
> Thanks,
> Dumitru
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list