I’m using Keycloak 8.0.1 at my workplace and get a lot of requests to reset the OTP codes for my users.
The only known way for me to do this is to:
- log into keycloak with an admin account
- go to the desired realm
- go to Users / search for the user and go to their details page
- go to Credentials tab and choose Configure OTP under Reset Actions
- Send email
Is there a way for a standard user to reset his or her own OTP? It would be nice for users to have a Reset Credentials button where they could reset their password or OTP codes themselves (via email validation).
User can visit own account management, where is option to delete configured authenticator -
/auth/realms/<realm>/account/totp. User will be requested to configure new authenticator during next login. Of course this one will be not working if user doesn’t know his current authenticator code.
OTP reset via email doesn’t look good. If attacker has user credentials, then he has very likely also access to user email, so he will be able to reinitialize OTP authenticator easily. Keep in mind security, not just user experience.
IMHO the best approach is to have own “selfservice”, where you will verify user identity properly (user credentials + some additional identity factor) + user TOTP reset via Keycloak REST API.