Use SMS as second factor in 2FA method (Browser flow) - bypass

[abebehailu]

Hi,

When a user has the cookie SMS_OTP_ANSWERED set in the browser the user bypasses the phone verification challange. This seems to be a feature but can be used with malicious intent to bypass the phone verification challange. Any data that the user can manipulate should never be trusted. I am referring to the following line in the code: https://github.com/cooperlyt/keycloak-phone-provider/blob/7c9a67c0c86a7163bd577bce317a437de92419be/keycloak-phone-provider/src/main/java/cc/coopersoft/keycloak/phone/authentication/authenticators/browser/SmsOtpMfaAuthenticator.java#L95

Reproduction steps

1. Create user and configure OTP with SMS. Also make sure OTP with SMS is enabled for the browser flow.
2. At the login page, open developer tool in the browser and add the cookie SMS_OTP_ANSWERED with the value true for the path /realms/{realm-name}.
3. Provide login credentials and login.
4. You will not be prompted for phone verification. If the cookie was not set in the browser you would be prompted for phone verification.

Could you either remove the feature, implemented in another way or add a configuration to opt out from the feature. As it is now, any user could bypass the phone verification by simply adding a cookie in their browser,

[cooperlyt]

oops! thanks for report! I Ignore it! I will valid OTP credential on cookie.