Figure out how to handle Keycloak and 2FA resets

Resetting the password allows the user (or attacker) to add a new 2FA device without 2FA, which makes 2FA basically useless. We can fix the issue, by disabling the Reset OTP element in the Reset Credentials flow (relevant doc), but it breaks Forgot Password for some(all?) users.

We also need to set a policy for 2FA reset. Is it just bad luck?

Relevant upstream issues:

https://issues.redhat.com/browse/KEYCLOAK-13134
https://issues.redhat.com/browse/KEYCLOAK-14640

Relevant meeting notes: https://gitlab.archlinux.org/archlinux/infrastructure/-/wikis/meetings/2020-09-05

Edited Sep 06, 2020 by Sven-Hendrik Haase

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information