Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-15000

Manage-account OTP security issue: 2FA can be disabled by the user

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Explained
    • 9.0.3, 10.0.2, 11.0.0
    • None
    • Authentication
    • This issue is security relevant
    • Hide
      1. enable required action “Configure OTP” and setup as default action (in authentication/flows of your Realm)
      2. give the testuser the client role account\manage-account (if not default)
      3. login with the testuser to your application
      4. OTP stuff (QR code) is displayed, do this
      5. open https://server/auth/realms/realm/account/totp and delete the OTP device
      6. close the browser window without setting up OTP again
      7. login again to your application with the testuser -> now no OTP setup is prompted any more, the user can login without 2FA every time
      Show
      enable required action “Configure OTP” and setup as default action (in authentication/flows of your Realm) give the testuser the client role account\manage-account (if not default) login with the testuser to your application OTP stuff (QR code) is displayed, do this open https://server/auth/realms/realm/account/totp and delete the OTP device close the browser window without setting up OTP again login again to your application with the testuser -> now no OTP setup is prompted any more, the user can login without 2FA every time
    • NEW
    • NEW

    Description

      i found a bug which causes a security problem. We enabled “Configure OTP” and also set this as default action, so that each users needs to login with 2FA. everything works as expected for the normal usage: new users login the first time, QR is displayed, is mandatory for each login.

      the problem comes with the https://server/auth/realms/realm/account/totp page (accessible with the account\manage-account role). here the user can delete their existing OTP device. after that a new QR code is displayed. If the user does not setup now a new device, just closes the browser, then he can login without setting up a new OTP and the 2FA is gone for this user.

      One solution would be to set the required user action “Configure OTP” on deletion instead of displaying the QR code.

      Ps:  I reported it first here: https://keycloak.discourse.group/t/manage-account-otp-security-issue-2fa-can-be-disabled-by-the-user/4107 but was adviced to report it here too.

      Attachments

        Activity

          People

            psilva@redhat.com Pedro Igor Craveiro
            oweis Oliver Weis (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: