What will I cover in this post? In my previous post I have described Two-Factor Authentication with WebAuth. But what should you do when a user replaces WebAuthn device? In this post, we will learn how to reset WebAuthn for a specific user. In addition, we will see how to revert the WebAuthn configuration for all users. Reset WebAuthn for a specific user If a user replaces WebAuthn device he /she will not be able to login and will see the following error:
What will I cover in this post? We will learn how to configure Two-Factor Authentication with Keycloak WebAuth. In this post, I plan on: Explaining what is WebAuth Explaining how to configure WebAuth in Keycloak What is WebAuth? WebAuthn is the standard recommended by FIDO Alliance and W3C. WebAuthn defines a standard web API that gives users new methods to securely authenticate. It can be incorporated into browsers and related web platform infrastructure, in the browser, across multiple sites, and on numerous device types.
How To Access Keycloak APIs Using Two-Factor Authentication Two-Factor Authentication is the very strong and recommended security control. In my previous post I have described how to configure Two-factor authentication in Keycloak. The short (but important) post describes how to access Keycloak APIs using Two-Factor Authentication. Access Keycloak APIs Using User Name and Password Let’s first access Keycloak APIs Using User Name and Password. According to the Keycloak documentation, you first need to obtain an access token.
My presentation at OWASP Appsec IL 2018 The video is published here. Passwords are passé. WebAuthn is simpler, stronger and ready to go from Michael Furman
Disabling Two-Factor Authentication The post describes how to disable Two-Factor Authentication in Keycloak. Disabling Two-Factor Authentication for a specific user In my previous post I have described how to configure Two-Factor Authentication. But what should you do when your user lost a mobile device? What should you do when your user uninstalled the Google Authenticator by mistake? You need to disable Two-Factor Authentication for the user. Configuration Open Keycloak admin page, open Users, open the user and go to the Credentials tab.
Keycloak Two-Factor Authentication The post describes how to configure Two-factor authentication in Keycloak What is Two-Factor Authentication? According to wikipedia: Two-factor authentication (also known as 2FA) is a method of confirming a user’s claimed identity by utilizing a combination of two different factors: Something they know Something they have or something they are Keycloak Two-Factor Authentication Keycloak authenticates users using: Password An one-time password (OTP) A one-time password generated by Google Authenticator or FreeOTP