One of my users needed to reset their 2FA, but when we use the Credential Reset option to send them an email to configure their OTP, it does not work as expected.
Instead of removing their old device, it simply adds a new device. Now the user has two OTP devices (which both work) and they have to select which device to use when they authenticate in a browser.
In addition, the user can’t use the new OTP device to fetch access tokens because Keycloak will always default to use the first OTP device. See: keycloak/ValidateOTP.java at master · keycloak/keycloak · GitHub
Are there any plans to fix these bugs? Resetting OTP should delete old OTP devices so that browser and API users can use the new device.