Manage-account OTP security issue: 2FA can be disabled by the user

hi guys,

i found a bug which causes a security problem. We enabled “Configure OTP” and also set this as default action, so that each users needs to login with 2FA. everything works as expected for the normal usage: new users login the first time, QR is displayed, is mandatory for each login.

the problem comes with the https://server/auth/realms/realm/account/totp page (accessible with the account\manage-account role). here the user can delete their existing OTP device. after that a new QR code is displayed. If the user does not setup now a new device, just closes the browser, then he can login without setting up a new OTP and the 2FA is gone for this user.

One solution would be to set the required user action “Configure OTP” on deletion instead of displaying the QR code.

affected versions: 9.0.3, 10.0.2 and a guess also the latest version

best regards


Report or check if it already exists on

i searched for exsting issues, but did not find anything matching. So i created a new issue there:


here you can close this ticket if you want

I’m not an admin.
You can close topics you created yourself.

Wouldn’t it be sufficient to modify the authentication flow to require OTP?

If set-up correctly it would add the required action when the user tries to log in, without OTP being configured.

Wouldn’t it be sufficient to modify the authentication flow to require OTP?
this is already enabled. if you use the provided link as normal user to delete you existing OTP device, after that at the next login the setting from “authentication flow” is completely ignored, thats the point!

If your authentication flow is containing “Condition - User Configured”, this is true.

However, you can remove the condition to make it mandatory. Then it will automatically add the required action to configure otp with the next login.

Accounts would be vulnerable until the next login attempt though.