KEYCLOAK-6270 Support for Backup Codes for 2FA Recovery

thomasdarimont · June 14, 2021, 10:49am

Hello Keycloak Users,

I recently implemented support for backup codes as a custom Keycloak extension.
A description about how it works can be found on the keycloak-dev mailing list [1]

The example implementation with some gifs that show the extension in action can be found in [2].

I’d love to hear your feedback on this

Cheers,
Thomas

[1] Keycloak Dev Discussion https://groups.google.com/g/keycloak-dev/c/SC1JvewgLwM
[2] Backup Codes Implementation keycloak-extension-playground/auth-backup-codes at master · thomasdarimont/keycloak-extension-playground · GitHub

xgp · June 14, 2021, 7:59pm

This is really great. I’ve heard this use case several times before. Thank you for implementing!

Question as to what happens with each code once it’s used. Do you remove it, or just mark it as used (in case someone wanted to extend to provide user feedback)?

thomasdarimont · June 15, 2021, 8:10am

Hi xgp,

thanks for your feedback!
Backup codes are stored as individual entries in the credentials table.
Once a backup code is used it is deleted from the credentials table.

Cheers,
Thomas

Topic		Replies	Views
Define custom 2fa secret Getting advice admin-rest , authentication	1	520	May 13, 2021
Best practices for storing data in Keycloak Getting advice	0	383	April 4, 2022
Algorithm/encryption used in secret_data for otp authentication	0	482	April 20, 2022
Database hardening Getting advice	3	1043	October 5, 2020
A comprehensive Keycloak Example Project Tips and tricks	3	2194	April 14, 2022

KEYCLOAK-6270 Support for Backup Codes for 2FA Recovery

Related Topics