Make 2FA optional for non-staff
I'm worried that requiring 2FA for non-staff (less tech savvy users) would result in a increased support burden and bad user experience, as I expect that a non-significant chunk of the users won't backup their TOTP credentials.
AFAIK Keycloak does not support this out-of-the-box, so we would need to create our own authenticator.
Proposal:
- Create a custom (conditional) authenticator SPI
-
matchCondition()
should evaluate totrue
, if:-
Role
is staff (inspiration ConditionalRoleAuthenticator.java) - OTP is configured (implemented here)
- WebAuthn is configured (implemented here)
-
-