Figure out how to handle Keycloak and 2FA resets
Resetting the password allows the user (or attacker) to add a new 2FA device without 2FA, which makes 2FA basically useless. We can fix the issue, by disabling the
Reset OTP element in the
Reset Credentials flow (relevant doc), but it breaks
Forgot Password for some(all?) users.
We also need to set a policy for 2FA reset. Is it just bad luck?
Relevant upstream issues:
Relevant meeting notes: https://gitlab.archlinux.org/archlinux/infrastructure/-/wikis/meetings/2020-09-05