I’m trying to make an authentication flow that involves 2 out of N available authentication credentials.
My intention is to get people to use WebAuthn + OTP as the main way, and then use the password or other methods as fallback/recovery. I have tried to achieve this with different layouts but so far I can’t get it right.
For example, this flow allows for using password as alternative to either WebAuthn or OTP:
But it doesn’t work, because it allows a user to log in by using just the password twice.
Another layout I tried was this:
Trying to do the second flow as alternative to first one that is just WebAuthn + OTP, but it doesn’t work, because during the WebAuthn prompt there is no link to any alternative.
I’m beginning to think the “2 out of N” (in my case 2 out of 3) case is not doable in Keycloak without writing any custom flow elements.