Keycloak Two-Factor Authentication

Keycloak Two-Factor Authentication

The post describes how to configure Two-factor authentication in Keycloak

What is Two-Factor Authentication?

According to wikipedia:
Two-factor authentication (also known as 2FA) is a method of confirming a user’s claimed identity by utilizing a combination of two different factors:

  1. Something they know
  2. Something they have or something they are

Keycloak Two-Factor Authentication

Keycloak authenticates users using:

  1. Password
  2. An one-time password (OTP)

A one-time password generated by Google Authenticator or FreeOTP

Keycloak configuration

Enforce new users to configure OTP

Open Keycloak admin page, open Authentication, go to the Required Actions tab.

Click on the Default Action in the Configure OTP row.

Enforce an existing user to configure OTP

Open Keycloak admin page, open Users, select a user, go to the Details tab.

In the Required User Actions list select Configure OTP.

OTP Policy configuration

Open Keycloak admin page, open Authentication, go to the OTP Policy tab.

Keycloak documentation related to OTP Policies is here

Time based OTP Type (TOTP) is considered a more secure. TOTP requires time be synchronized between Keycloak server and an end user device.

If the server and the device cannot be synchronized use Counter Based type (HOTP).

Configure Look Ahead Window to 3.

User’s Mobile Authenticator

One Time Setup

A user will need to setup Mobile Authenticator upon the completion of the user name password authentication:

The example below shows the Google Authenticator.

Download

Download Google Authenticator.

Install Google Authenticator

Scan the QR code

Provide the generated code to the Keycloak setup login page

Authentication using One-time code

A user will need to provide One-time code upon the completion of the user name password authentication: