Prevent user from stepping out of the 2FA in new account console

Hey everybody,

first of all: I am new here :). Please forgive if this question already has been asked (I was searching for similar topics, but only found a thread about not being able to edit user attributes in the new account console).

We want to user keycloak for our organization, but we also want to enforce an OTP based 2FA for all of our users, regardless if they want to have the 2nd factor or not. We managed to set this up successfully on account creation …

… but with the new account console (which looks great BTW and is a real improvement compared to the old one :)), everybody (still) can step out of the 2FA at his/her own will.

Is there any way this can be prevented? Or would we have to change the account console itself in order to achieve this goal?

Thank you for your time and for any kind of answer,

Martin

Hi, you can change authentication flow and make 2fa mandatory there. User can’t scape this, if he removes, he will need to configure it again.

Removing from account console isn’t a good approach.

Thank you Claudio!

I changed the “Browser - Conditional OTP” in the browser flow from “conditional” to “required”, which seemed to do the trick:

Has this been what you suggested?

Many greetings and best wishes,
Martin

Yes, as a suggestion you can copy the default flow and make changes on copy.

Pro: you do not loose default config
Con: you need to point every client to this new flow.