Required MFA has some edge cases

[bburky]

Steps to reproduce

1. Create a Keycloak account via SAML (and probably via x509 too)
2. Skip adding a password
3. Go to the user profile and set a password https://sso.uds.dev/realms/uds/account/#/security/signingin
4. Observe that the user was created in keycloak and the user can log in with user and password only

Or

1. Create a new user with a password
2. Close the browser window when it prompts you to set MFA
3. Observe that the user was created in keycloak and the user can log in with user and password only

In both cases MFA will be enforced on next login with password, but that still is technically a single factor login. The user may already have permissions granted by an admin (added to Keycloak groups) while it is in this single factor state.

Expected result

whenever a password is set, MFA should also be required. If MFA is somehow skipped, the user account shouldn't be created at all during new user registration. When setting a first password on an existing user, require MFA before saving the password to the existing account.

Actual Result

User accounts can be created with a password only. MFA is enforced on next login, but this first password login is actually a single factor login.

[UnicornChance]

Configuring keycloak to not create a user unless successfully completing the entire registration form and MFA setup seems like it would be some kind of custom plugin? Maybe you have some more insight into how this would work.

I think the process of first login expecting an MFA to be configured if somehow skipped during registration is the standard industry approach and would lead to a single login where a SFA was necessary.

This is also somewhat similar but also kinda conflicting with this other MFA issue.

Just looking for a good path forward.