Hi All!
We set up privacyIdea for MFA to use with Keycloack as it’s described in this posts:
We set up Totp QR code for scanning, but if a user by any reason refresh the page
token will be lost.
Could any anyone please tell if there is any way to enroll a new token (QR code) or enroll an existing one if a user has never scanned it?
Enrolling a 2nd factor via keycloak is not the very best idea. You might need to reconsider you enrollment strategy.
Or you somehow could check if a token was ever used at all.
Thank you very much for having look at my question.
As I wrote my goal is to show QR of TOTP token if:
Workflow is next:
I would like to use the keylock privacy idea plugin and looks like I need to modify it
in order to solve the issue.
Could you please tell which will be correct way of solving the issue (showing to the user QR code if the user made no authorization yet):
You should not do this in the keycloak plugin. We will never ever merge a complex logic in a plugin.
rule of thumb:
keep the plugins dumb
What you basically want to do is: Throw a token away (delete it), if it was not used within a certain timewindow after enrollment. You can do this in the backend by
This way you can automatically delete unused tokens in the backend without touching anything in the plugins or applications.
Let me elaborate the use case: when the user fails to enrol on the Keycloak page they would be able to re-enrol immediately until first successful OTP-backed login, as soon as other browser tab will be opened or current page reloaded. Do you see security concerns in a such approach?
Hi
Thank you for answering again.
Actually what I should do is not to lost the QR code when the page is refreshed and I’m making the first login to the system
I wrote a video that shows the issue:
https://youtu.be/Qc4I3dguJmk
You can see here that when I refresh the page/ or open close the browser/tab
qr code will not be show again when I did not authorization first time.
Could you please how to solve this issue?
Hello,
when you enroll a token with keycloak, the token is already enrolled when the qr is displayed, independently from entering the OTP or not.
If you then refresh the page, the user already has a token and therefore no qr will be displayed and instead the OTP is requested.
Solving this “issue” would require a lot of logic in the plugin which is something we do not want to do.
Enrolling tokens using the plugin is something that is not recommended.
Hello!
We’ve tried with QA code and some group of confident users and it appears that there are too much cases when person miss QR code, can’t login and thus can’t even reach out to technical support for MFA reset or enrolment assistance. Single chance enrolment is rude.
Hi, thanks for pointing this out.
We would not like users to go to any other resource like privacy idea to manually enroll new tokens. We would just like to have a single entry point where users can have tokens enrolled.
In our case, this will be the Keycloack that shows QR code with privacy idea plugin.
The issue with refreshing the page is that there’s no guarantee that the user added the token (QR code) to an authentication application that provides tokens (TOTP in our case). And in case if the user refreshes the page he will appear in case when there’s no other way to get new QR code to add for further TOTP token authentication.
What we would like is to show the same QR code every time until the user makes 1st authentication. Is there any possibility to create such workflow with keycloack plugin and privacy idea? Or maybe there are some security issues with that?