I’m building a multi-MFA flow in Keycloak 26.5.1 where users can be assigned one of three MFA methods: SMS, Email OTP, or TOTP. The method is stored as a user attribute mfa_option with values SMS, Email, or TOTP.

Current flow structure:

• MFA Selection Sub-flow (Required/Alternative — tested both)

  • SMS FLOW (Conditional) — condition: mfa_option = SMS

  • EMAIL FLOW (Conditional) — condition: mfa_option = Email

  • TOTP FLOW (Conditional) — condition: mfa_option = TOTP

Behavior per MFA method:

• TOTP → works correctly, QR code appears as expected

• SMS → after username/password, page just refreshes and restarts login with no error

• Email → throws "Cannot login, credential setup required"

What I’ve already tried:

• Tested MFA Selection Sub-flow as both Required and Alternative

• Confirmed the mfa_option attribute is correctly set on the user in Keycloak Admin

• Tested in incognito mode — same behavior

• With some configurations the MFA challenge is skipped entirely and user logs in directly

The attribute value is definitely correct — I can see it in the user’s attributes tab. TOTP works so the flow is partially correct, but SMS and Email are broken in different ways.

Any idea what’s wrong with the flow configuration?