Reputation: 41
Restrict a number of OTP credentials for a user on Keycloak
Starting from Keycloak 8.0.1 users can register multiple OTP devices:
Is there any way to restrict a number of OTP credentials (devices) for a user? The behavior I want to achieve is to allow only one OTP device to be active for a user so users don't need to select a device from a dropdown on the login page (the behavior prior to the previous Keycloak versions).
Upvotes: 4
Views: 1742
Answers (2)
Reputation: 71
There is a related problem, when you do a OTP reset, a new OTP device is added. So no real reset I would say. Being able to limit to only one OTP device in the list would in fact make it possible to reset the OTP as the new OTP would push previous OTP device out from the list.
Upvotes: 1
Reputation: 28676
It doesn't make sense. You may somehow restrict user to have just one OTP device instance in the Keycloak. But you can't restrict user to have that single OTP instance on just single device. User can scan the same initial OTP QR code to many devices and then all these devices provide the same OTP code. (I use it as well, because single OTP device seems to be risky for me).
This kind of "OTP device replication" is not a problem especially for TOTP. HOTP may have a problem with that.
Upvotes: -1
Related Questions
- Configure Keycloak OTP via Administration REST API
- Keycloak impersonation only for certain users
- KEYCLOAK: OTP using a custom user storage SPI
- Disable Multiple login at Keycloak
- How can I restrict client access to only one group of users in keycloak?
- How limit access tokens count for each user in keycloak
- Multiple authentication methods for a user in Keycloak
- Unique login for multiple clients in KeyCloak
- Keycloak - Limit users access per client/application
- Keycloak Authentication with mobile number and otp