Is there a way for a standard user to do an OTP reset?

I’m using Keycloak 8.0.1 at my workplace and get a lot of requests to reset the OTP codes for my users.
The only known way for me to do this is to:

  • log into keycloak with an admin account
  • go to the desired realm
  • go to Users / search for the user and go to their details page
  • go to Credentials tab and choose Configure OTP under Reset Actions
  • Send email


Is there a way for a standard user to reset his or her own OTP? It would be nice for users to have a Reset Credentials button where they could reset their password or OTP codes themselves (via email validation).

User can visit own account management, where is option to delete configured authenticator - /auth/realms/<realm>/account/totp. User will be requested to configure new authenticator during next login. Of course this one will be not working if user doesn’t know his current authenticator code.

OTP reset via email doesn’t look good. If attacker has user credentials, then he has very likely also access to user email, so he will be able to reinitialize OTP authenticator easily. Keep in mind security, not just user experience.

IMHO the best approach is to have own “selfservice”, where you will verify user identity properly (user credentials + some additional identity factor) + user TOTP reset via Keycloak REST API.

1 Like

Thanks :slight_smile:

Hi Jangarai,
I’m trying the /auth/realms/<realm>/account/totp, but at one of our Keycloak-instances we get the message ‘Page not found’, and at the other (test) instance we get the message ‘No access’ with a link: ‘<< Back to application’.
Is there something I need to configure?

Please help me oput.
Kind regards,
Albert Jol

Have you ever figured it out?


Did you resolve this issue?

In my use-case, I use the /auth/realms//account/totp to register MFA and after the MFA registration, I used the same link to display the list of registered MFA entries. It works in Keycloak v18. But MFA device list page does not work in version 21. Getting ‘Page not found’

Any idea?


Have you configured the http-relative-path option to use /auth?
If not, try to use the mentione URL without /auth part.

Yes Niko,

This is my request



Ah, now I see… you are using the old, legacy account console, which is for long time already deprecated and was finally removed some time ago.

In the current account console, you can access your signing-in credentials with https://{hostname}/auth/realms/{realmname}/account/#/security/signingin

Hi @dasniko,

Thanks for the suggestion, I’m still having the same issue. However, seems some adjustments need to be made on the application side as well. I will update the channel with the status once all done.