Disabling OTP setup with "Forgot Password" / Reset Credentials flow

New to keycloak but I noticed the default settings with keycloak is to force an MFA/OTP reset when a user goes through the Forgot Password (Reset Credentials) flow. I’d like to change it so when a user does this, it only asks them to reset their password but not the MFA/OTP token.

The documentation covers this here but the recommendation to disable this behavior is:

If you do not want OTP reset, then just chose the disabled radio button to the right of Reset OTP .

My question is, couldn’t I just choose disabled for Reset Conditional - OTP? I’m not sure if there would be any other side effects or differences from the two options.

Red is what the documentation recommends. Blue is what I’m wondering if it will work, or deleting Reset - Conditional OTP altogether. I guess I’m not following what the purpose of Reset - Conditional OTP would be with Reset OTP set to disabled.

Reading the example of the browser authentication flow example in the docs makes me further think what I mentioned above, I think Reset - Conditional OTP is essentially doing nothing if the only condition, Reset OTP, is disabled:

  1. The second execution in the Forms sub-flow is a new sub-flow: the Browser - Conditional OTP sub-flow. Since this sub-flow is conditional , whether it is executed depends on the result of the evaluation of the Condition - User Configured execution. If it is, the executions for this sub-flow are loaded and the same processing logic occurs
  2. The next execution is the Condition - User Configured . This checks if the other executions in the flow are configured for the user. Meaning that the Browser - Conditional OTP sub-flow will only be executed if the user has an OTP credential configured.
  3. The final execution is the OTP Form . This is marked as required , but because of the setup in the conditional subflow, it will only be run if the user has an OTP credential set up. If he doesn’t, the user will not see an OTP form.
1 Like

I could fix this way.

Step 1: Create a new ‘Reset Credentials’ flow (copy from existing flow)

Step 2: Add new execution ‘OTP Form’ (refer the image below)

Step 3: Bind new reset credential flow into Authentication >> Bindings >> Reset Credentials

Expected flow:

  1. OTP required for MFA enabled users prior to load reset password page
  2. OTP should not reset after change the password
  3. Load reset password page for None MFA users (OTP page load not required)

Hope this solves your problem.

1 Like

thanks @Nandika that was exactly what I was looking for.

1 Like

Actually, this only enforces OTP for users that have been configured before, i.e. users that have initially set up an OTP.

If you want to enforce OTP for all users, regardless if they have been configured or not (which effectively disables “reset password” for non configured users, which is what I was looking for), you have to use this flow instead:

Greetings,
Martin