OTP Authentication after Password reset

Hello !

By default, Keycloak automatically logs in the user after performing a password reset flow.

If the user has prevously configured an OTP, I would like to ask for OTP authentication after the user has reset his password (and so to prevent the automatic login):

  1. The user clicks on “I forgot my password” link
  2. The user submits his username or email address
  3. The user receives an email and clicks on the link
  4. The user submits his new password
  5. If the user has previously configured an OTP:
  • Ask for OTP Authentication
  1. The user is authenticated

I tried to play with the Authentication flows, but the OTP form is always shown before the password change form during the process:

I hope one of you can help me solve that :slight_smile:

Thank you very much !

Hello again :slight_smile:

Can anybody help me on that issue ?

Thank you very much !

Hello again !

I am still struggling on that issue :slight_smile: Hopefully someone can help me on that.

From my point of view, it is a security issue because MFA is not required after a password reset (if the user has configured one).

If an attacker gains access to the password reset link, the legitimate user is not protected with his configured MFA

Thank you very much !.

We ran into the same issue now. Surprised this is the default setup.

It allows an attacker to add their own OTP device, breaking its security.