2FA Disable/Remove does not prompt for code verification

[Duarte Rocha]

Hello,

Shouldn't the user be prompted to provide at least the 2FA code when removing a otp device? Is this configurable?

[Ionel GARDAIS]

Good question.

The user should be logged to remove a device.

Thus he has been authenticated either by the device he wants to remove or by another mean.

If he has been authenticated by another mean, he might wants to remove the device because it's been lost or malfunctioning, thus he can't get a code from it.

If he has been authenticated by the device he wants to remove, then one could ask : is it possible to make a mandatory rule stating "their should at least one OTP device on each account".

--
Ionel GARDAIS
Tech'Advantage CIO - IT Team manager

---

De: "Duarte Rocha" <duarte...@kelvininc.com>
À: "keycloak-user" <keyclo...@googlegroups.com>
Envoyé: Vendredi 12 Mars 2021 16:11:22
Objet: [*EXT*] [keycloak-user] 2FA Disable/Remove does not prompt for code verification

Hello,

Shouldn't the user be prompted to provide at least the 2FA code when removing a otp device? Is this configurable?

--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/e9c46e98-2f02-4355-976b-939d95b81183n%40googlegroups.com.