Keycloak shortcomings

This issue serves to track Keycloak shortcomings that we've found.

Email-squatting is possible as users can change their email to any random other email which allows you to block emails. This is not a security issue but it's pretty annoying. https://issues.redhat.com/browse/KEYCLOAK-6455
~~No audit logs. These exist but we have to set them up properly: https://www.keycloak.org/docs/latest/server_admin/#auditing-and-events~~
~~Doesn't allow multiple OTP devices. https://issues.redhat.com/browse/KEYCLOAK-14297~~
~~Users can't add WebAuthn providers in the account management page. https://issues.redhat.com/browse/KEYCLOAK-14298~~
Users should be forced to an OTP before removing an OTP device. https://issues.redhat.com/browse/KEYCLOAK-14296
Allow users to have multiple emails. https://issues.redhat.com/browse/KEYCLOAK-14295
~~Check that "forgot password" via email does not reset MFA which makes MFA basically useless #112 (closed)~~
Not being able to set your default OTP/Security key https://issues.redhat.com/browse/KEYCLOAK-18957

Edited Aug 03, 2021 by Jelle van der Waa

Admin message