KeyCloak TOTP enrolment/registration

1

We would like to allow users to register for OTP (TOTP based), The following is our expected flow,

  1. User login with username/password

2a. If the user was not enrolled in MFA/OTP then KC should send an email to the user with a One time code

2b. User will validate the code that he received.

  1. On successful validation, KC will present the QR code to the user

  2. User scan the QR code with the authenticator he had on his mobile and completes the OTP enrollment/registration flow

Please advise if this is feasible with KC?

Thanks,

Narendra

2

Why you want to send the user an OTP via email to setup TOTP via QR code?
You can just add the required action to configure TOTP to the user, so that a user is forced to setup TOTP.

You can make the required action a default for new users.
If you don‘t want to set it manually (or automated through API) for existing users, you can implement a derived version of the existing action as a custom required action which recognizes automatically if a user doesn‘t have setup TOTP and that the required action should be activated for this user.

3

Please note that we are trying to add that additional step to make sure even though the user’s password is compromised the attackers can’t register for OTP/MFA.

4

If you want this intermediary step, you have to implement a custom authenticator according to your needs, this is no ootb functionality. https://www.keycloak.org/docs/latest/server_development/index.html#_auth_spi

5

Thanks @dasniko

Alternatively, we are thinking to send the seed details (QR Code or some link to import the seed to Authenticator app) to the user’s email.
Is there any way to send the QR Code to the User’s email instead of showing it on the KC screen?

1 Like