Restrict a number of OTP credentials for a user on Keycloak - keycloak

Starting from Keycloak 8.0.1 users can register multiple OTP devices:
screen of user setup page on Keycloak admin ui
Is there any way to restrict a number of OTP credentials (devices) for a user?
The behavior I want to achieve is to allow only one OTP device to be active for a user so users don't need to select a device from a dropdown on the login page (the behavior prior to the previous Keycloak versions).

There is a related problem, when you do a OTP reset, a new OTP device is added. So no real reset I would say.
Being able to limit to only one OTP device in the list would in fact make it possible to reset the OTP as the new OTP would push previous OTP device out from the list.

It doesn't make sense. You may somehow restrict user to have just one OTP device instance in the Keycloak. But you can't restrict user to have that single OTP instance on just single device. User can scan the same initial OTP QR code to many devices and then all these devices provide the same OTP code. (I use it as well, because single OTP device seems to be risky for me).
This kind of "OTP device replication" is not a problem especially for TOTP. HOTP may have a problem with that.

Related

AWS amplify (cognito) - change phone number during signup and verification

I have the "happy path" of signing up a user implemented using Flutter & AWS Amplify. I have made the user to verify their account using their phone numbers so that the verification code is sent to the phone and the signup process is completed.
I realised that, during testing, one could easily make a mistake. So I want the user to be able to go back and change the phone number so that the verification code is sent to the correct one. However, using Amplify, you cannot change the details if the user is not signed in, and the user cannot be signed in unless their account is "confirmed". Of course, their account cannot be "confirmed" if they don't receive the verification code and with the wrong phone number due to their mistake, they will never receive the verification code...
Has anyone faced the same problem and could help me how to solve this please?
I read that you could use Lambda functions to "auto-confirm" the account without any verification which means they can sign in, which would allow me to change their phone number if they have entered a wrong phone number. But I am not sure if this is the easiest way to do it

How to verify phone number using OTP without Authentication in Flutter

How to implement phone number verification in Flutter. In my app user is signed in via email, after the sign in process i need to add the phone number and verify it via OTP. I tried in Firebase the phone number verification is added with the authentication flow.
I don’t want to include the authentication flow, i just need to verify the number. How to implement this?
Please someone help me on this.
It is not possible to implement phone number verification without using Firebase Authentication as phone number verification is a feature within the Firebase Authentication system.

Firebase: Standard User Registration/Activation Workflow

I need to implement a standard user registration/activation workflow with Firebase. There doesn't seem to be an obvious way to implement this. When I say "standard", I mean how most email/password accounts work - not necessarily specific to Firebase. I'm sure you're familiar with this. This is the workflow:
User enters their username/password on a form with some validation and submits details
The back-end creates the user record in the database, but the account remains deactivated (i.e. user cannot authenticate - the activated flag is set to false)
The back-end sends an email to the user with a link to activate the account
The user clicks the link in their email which triggers activation. This is probably a Web API of some description.
At this point, the user record's activated flag ticks over to true, and the user can now authenticate
The link probably also has a deep link that opens the app or navigates to a web page
The user can now log into the app
How do I configure Firebase to do all this?
Currently, the app allows the user to register. I am using the Flutterfire SDK. I call createUserWithEmailAndPassword, which successfully creates the user in Firebase. But, the user is already activated. The user should have a state of "disabled" in firebase until the account becomes activated. I can't find any settings to default the user to disabled when the account is first created.
I also managed to get Firebase to send out an activation email by calling sendSignInLinkToEmail, but this call is really designed for email authentication - not email activation. Opening the link should activate the account, but I have not figured out how to do this. This documentation makes it sound like it is possible. Perhaps, the Flutterfire SDK is missing this? I don't want to allow people to log in without a password. I only want to use this call to send out an email.
What am I missing here? Is this non-standard behavior for Firebase? If so, why? If the user is allowed to use an app with an email address that is not activated, they can impersonate someone else. We need to confirm at least that they are custodians of the email address that they are claiming to have.
Do other Firebase people just not worry about this?
Lastly, I know I can achieve this by creating a collection for users in Firebase and putting an "activated" flag there. But, if I do that, I've got to write a cloud function that accepts the link and then updates the user in the collection based on the received link. But I thought this would be automatic in Firebase. If Firebase doesn't have this built-in, I have to put all the security over the top to stop users from authenticating when they have not yet activated their account.
This is a pretty valid concern. I suppose the way around this is to check whether the signed-in user is verified whenever the app is launched. The User object that is returned from Firebase Auth has an emailVerified flag. Check this page for more details.
Using this flag you can choose to show a different screen or pop-up that has a button to send a verification link to the registered email address. Until the user verifies this address, you can limit access to some of the app's screens if you want.
Please note that I have not checked if this emailVerified flag is true for sign ups using Federated login providers like Google Sign-in and Apple Sign In. You might want to check that out.

mobile PIN based authentication for mobile app

I need to build a mobile app where i need to first register a user by phone number followed by setting up a 4 digit PIN. Next time when user logs in user can directly input the set 4 digit PIN and logs in on the app.
How can i implement it with spring security?
My thought is, when user registers with his/her phone no + PIN then do i need to keep this combination in Spring token store or an IDP like keycloack so that when user opens the app again then i can do a check in db if the device is registered in the db (with IMEA no) with mpin set up then show the PIN screen to input? In this case, will PIN be a part of IDP then which field in IDP should hold PIN? like password or something..?
can you pls give me some direction around this.
Flutter package : local_auth: ^1.1.11
The authenticate() method uses biometric authentication, but also allows users to use pin, pattern, or passcode.

Device to device push notifications logic Swift IOS Firebase

My goal is to implement a function where, when a user (lets call him User1) sends a message to another user (User2), a notification is sent to User2´s device, so he can see the message right on the lock screen. I have already implemented a function where this works. My only problem now is that when I send the push Notification from User1´s device to User2´s device, I don't know if User2 is on the account that he should receive the message on.
If User2 has logged into a different account and User1 sends him a message, he sees this message, although User2 is in a different account and shouldn't see this message. Is there any way to know if a user logged into a different account and to then block the notification from showing on User2´s device?
Firebase Cloud Messaging has no concept of a user. It only knows about devices, or more explicitly app instances (a specific app on a specific device is an app instance).
If your use-case is based around users, your application logic is making a mapping from a user to their FCM instance ID/IDs. If you want the user to not receive a message anymore on a specific app instance, you need to remove the mapping you made.
The most common way to do this is to remove the mapping when the user signs out from your application on a specific device.
Since this is all rather abstract, I recommend also checking out:
When to register an FCM token for a user
Removing a user from Firebase
How to send FCM messages to a different user
Android: How to handle user logout Firebase Cloud Messaging in 2021
How to get Firebase user id from FCM token? (in admin code on server)