i found a bug which causes a security problem. We enabled “Configure OTP” and also set this as default action, so that each users needs to login with 2FA. everything works as expected for the normal usage: new users login the first time, QR is displayed, is mandatory for each login.
the problem comes with the https://server/auth/realms/realm/account/totp page (accessible with the account\manage-account role). here the user can delete their existing OTP device. after that a new QR code is displayed. If the user does not setup now a new device, just closes the browser, then he can login without setting up a new OTP and the 2FA is gone for this user.
One solution would be to set the required user action “Configure OTP” on deletion instead of displaying the QR code.
affected versions: 9.0.3, 10.0.2 and a guess also the latest version
Wouldn’t it be sufficient to modify the authentication flow to require OTP?
this is already enabled. if you use the provided link as normal user to delete you existing OTP device, after that at the next login the setting from “authentication flow” is completely ignored, thats the point!