xgp
commented
3 days ago The Email OTP functionality is very simple right now.
Is there a similar expiration feature?
Not explicitly. The OTP expires with the authentication session, so the "Login timeout" you set in your realm settings controls this.
I would like to offer a OTP solution to my users but it needs to be sage against brute force.
We don't currently increment the brute force attack detection counter, but this seems like a good feature. The code should be fairly easy to find in the Keycloak authenticators. Feel free to file a separate issue and PR this if you build it.
I had a look at the title of the other issues and couldn't find something similar. I hope I am not creating a duplicate.
I stumbled upon this project while researching some OTP possibilities for Keycloak.
I can see in the readme there is a
expiration_secondsfor the magic link. However, I didn't see any properties/settings for the OTP. Is there a similar expiration feature?I would like to offer a OTP solution to my users but it needs to be sage against brute force.