[keycloak-user] Requiring 2FA?

Max Allan max.allan+keycloak at surevine.com
Fri Feb 22 11:03:19 EST 2019

I have a client app, and have enabled 2FA (totp) as a required step in it's
browser auth flow.

What we find is that some new users have been able to get the "reset your
password" link, reset their password and somehow access the client WITHOUT
Most reset their password and are then prompted to setup TOTP 2FA.

I assume this is because to reset your password, you gain a valid session,
and if you then visit the client URL, keycloak does SSO via a different
flow and lets you in.
Except when I've tried to make that happen, it doesn't work like that! I
have no idea how the users manage to break it...

Should I enable 2FA on the "account" client's browser auth flow as well?
Will that allow people to reset their passwords normally? Or is there
something else I can do to prevent password resets from also being "logins,
without 2FA"?
I don't quite understand how some of the other flows are supposed to work,
if I added TOTP to a flow the user doesn't normally interact with, would it
cause confusion? It feels like the wrong thing to do.


More information about the keycloak-user mailing list