Manage-account OTP security issue: 2FA can be disabled by the user

oweis · August 4, 2020, 10:07am

hi guys,

i found a bug which causes a security problem. We enabled “Configure OTP” and also set this as default action, so that each users needs to login with 2FA. everything works as expected for the normal usage: new users login the first time, QR is displayed, is mandatory for each login.

the problem comes with the https://server/auth/realms/realm/account/totp page (accessible with the account\manage-account role). here the user can delete their existing OTP device. after that a new QR code is displayed. If the user does not setup now a new device, just closes the browser, then he can login without setting up a new OTP and the 2FA is gone for this user.

One solution would be to set the required user action “Configure OTP” on deletion instead of displaying the QR code.

affected versions: 9.0.3, 10.0.2 and a guess also the latest version

best regards

Oliver

zonaut · August 4, 2020, 10:09am

Report or check if it already exists on https://issues.redhat.com/projects/KEYCLOAK/issues

oweis · August 4, 2020, 10:29am

i searched for exsting issues, but did not find anything matching. So i created a new issue there: https://issues.redhat.com/browse/KEYCLOAK-15000

thanks!

here you can close this ticket if you want

zonaut · August 4, 2020, 10:34am

I’m not an admin.
You can close topics you created yourself.

ThoreKr · August 5, 2020, 9:01pm

Wouldn’t it be sufficient to modify the authentication flow to require OTP?

If set-up correctly it would add the required action when the user tries to log in, without OTP being configured.

oweis · August 6, 2020, 7:05am

Wouldn’t it be sufficient to modify the authentication flow to require OTP?
this is already enabled. if you use the provided link as normal user to delete you existing OTP device, after that at the next login the setting from “authentication flow” is completely ignored, thats the point!

ThoreKr · August 6, 2020, 2:02pm

If your authentication flow is containing “Condition - User Configured”, this is true.

However, you can remove the condition to make it mandatory. Then it will automatically add the required action to configure otp with the next login.

Accounts would be vulnerable until the next login attempt though.

Topic		Replies	Views
Issues with resetting OTP and getting access tokens Getting advice	1	623	March 15, 2023
Disabling OTP setup with "Forgot Password" / Reset Credentials flow Configuring the server authentication	4	5107	July 2, 2022
Two-factor authentication Rest API Extending the server authentication	3	4861	June 20, 2021
How to disable OTP for a user, once enabled Getting advice	0	416	October 20, 2020
Step-Up authentication combined with RequiredAction maxAuthAge	0	96	February 5, 2024

Manage-account OTP security issue: 2FA can be disabled by the user

Related Topics