I’m using Keycloak 8.0.1 at my workplace and get a lot of requests to reset the OTP codes for my users.
The only known way for me to do this is to:
log into keycloak with an admin account
go to the desired realm
go to Users / search for the user and go to their details page
go to Credentials tab and choose Configure OTP under Reset Actions
Send email
Is there a way for a standard user to reset his or her own OTP? It would be nice for users to have a Reset Credentials button where they could reset their password or OTP codes themselves (via email validation).
User can visit own account management, where is option to delete configured authenticator - /auth/realms/<realm>/account/totp. User will be requested to configure new authenticator during next login. Of course this one will be not working if user doesn’t know his current authenticator code.
OTP reset via email doesn’t look good. If attacker has user credentials, then he has very likely also access to user email, so he will be able to reinitialize OTP authenticator easily. Keep in mind security, not just user experience.
IMHO the best approach is to have own “selfservice”, where you will verify user identity properly (user credentials + some additional identity factor) + user TOTP reset via Keycloak REST API.
Hi Jangarai,
I’m trying the /auth/realms/<realm>/account/totp, but at one of our Keycloak-instances we get the message ‘Page not found’, and at the other (test) instance we get the message ‘No access’ with a link: ‘<< Back to application’.
Is there something I need to configure?
In my use-case, I use the /auth/realms//account/totp to register MFA and after the MFA registration, I used the same link to display the list of registered MFA entries. It works in Keycloak v18. But MFA device list page does not work in version 21. Getting ‘Page not found’
Ah, now I see… you are using the old, legacy account console, which is for long time already deprecated and was finally removed some time ago.
In the current account console, you can access your signing-in credentials with https://{hostname}/auth/realms/{realmname}/account/#/security/signingin
Thanks for the suggestion, I’m still having the same issue. However, seems some adjustments need to be made on the application side as well. I will update the channel with the status once all done.
