[keycloak-user] OTP Policy updates not reflects in Google Authenticator

[Marek Posolda]

I am not sure if we check the current OTP policy of user and take it 
into account instead of the default realm OTP policy. For password, we 
are doing it (password hashing algorithm is saved together with user's 
password. When realm password hashing policy is changed, then user's 
password is still verified against the old algorithm during first 
authentication of that user after the realm policy is changed. And then 
password is updated in DB with the new algorithm).

Feel free to create JIRA with steps to reproduce. I think we can improve 
for OTP and ask user to configure new OTP after the change. Not sure if 
this should be configurable or not, I can see some potential security 
implications of it.

Marek

On 30/09/17 14:47, forums.akurathi at gmail.com wrote:
> Dear all,
>
> We are running into a weird problem i.e., updates to OTP policy does not reflect at google authenticator app. We wonder is there any special instructions needed to get this working.
>
> A sequence of steps :
>
> 1) create realm, create user
> 2) enable OTP
> 3) login with the newly created user
> 4) system asks you to configure OTP
> 5) update OTP policy such as number of digits from 6 to 8
> 6) try login again
> 7) system asks you to enter OTP but authentication fails
>
> We expect the system should route the user to configure OTP page rather than prompting to enter OTP which anyways fails.
>
> Your response is highly appreciated !!!
>
> Thanks in advance
>
> Regards
> Krishna Kumar Akurathi
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user