I’m building a multi-MFA flow in Keycloak 26.5.1 where users can be assigned one of three MFA methods: SMS, Email OTP, or TOTP. The method is stored as a user attribute mfa_option with values SMS, Email, or TOTP.
Current flow structure:
-
MFA Selection Sub-flow (Required/Alternative — tested both)
-
SMS FLOW (Conditional) — condition:
mfa_option = SMS -
EMAIL FLOW (Conditional) — condition:
mfa_option = Email -
TOTP FLOW (Conditional) — condition:
mfa_option = TOTP
-
Behavior per MFA method:
-
TOTP → works correctly, QR code appears as expected
-
SMS → after username/password, page just refreshes and restarts login with no error
-
Email → throws
"Cannot login, credential setup required"
What I’ve already tried:
-
Tested MFA Selection Sub-flow as both
RequiredandAlternative -
Confirmed the
mfa_optionattribute is correctly set on the user in Keycloak Admin -
Tested in incognito mode — same behavior
-
With some configurations the MFA challenge is skipped entirely and user logs in directly
The attribute value is definitely correct — I can see it in the user’s attributes tab. TOTP works so the flow is partially correct, but SMS and Email are broken in different ways.
Any idea what’s wrong with the flow configuration?
