This issue serves to track Keycloak shortcomings that we've found.
- Email-squatting is possible as users can change their email to any random other email which allows you to block emails. This is not a security issue but it's pretty annoying. https://issues.redhat.com/browse/KEYCLOAK-6455
No audit logs. These exist but we have to set them up properly: https://www.keycloak.org/docs/latest/server_admin/#auditing-and-events Doesn't allow multiple OTP devices. https://issues.redhat.com/browse/KEYCLOAK-14297 Users can't add WebAuthn providers in the account management page. https://issues.redhat.com/browse/KEYCLOAK-14298
- Users should be forced to an OTP before removing an OTP device. https://issues.redhat.com/browse/KEYCLOAK-14296
- Allow users to have multiple emails. https://issues.redhat.com/browse/KEYCLOAK-14295
Check that "forgot password" via email does not reset MFA which makes MFA basically useless #112 (closed)
To upload designs, you'll need to enable LFS and have admin enable hashed storage. More information