[keycloak-user] password reset and OTP

Bill Burke bburke at redhat.com
Tue Mar 21 12:36:40 EDT 2017


Go to the "Authentication" left menu item.  Go to "flows" tab. Select 
"Reset Credentials" flow.  Put Reset OTP to "disabled". Then hijacked 
email won't reset OTP.

You can copy and expand this flow with your own validation.  I.e. you 
could ask "mother's maiden name" or other questions.


On 3/21/17 11:52 AM, Bas Passon wrote:
> Hey Guys,
>
> I have a question about the password reset in combination with OTP. I have password reset enabled and OTP reset disabled. I noticed it is possible to to remove a users OTP from his account if you are able to hijack an email account. On the login page of the user account page you can click password reset. An email arrives with a link to reset the password. After resetting the password you are directly logged in to the users account. N No OTP code needed. There you can simple remove OTP. Is there a way to prevent this from happening? Have I got some configuration error?
>
> The Keycloak version in use is 2.5.4.Final.
>
> Kind Regards,
> Bas Passon



More information about the keycloak-user mailing list