Cloud-IAMMulti-Factor Authentication (MFA)
Overview
Multi-factor authentication (MFA) serves as a fundamental security measure designed to fortify account protection. By integrating an additional layer of authentication, MFA requires verification of both primary and secondary factors to grant access to an account. Typically, the primary factor revolves around an email address, while the secondary factor involves a phone number or a mobile device authenticator. The premise behind MFA is that compromising both factors is necessary to breach an account, thus significantly bolstering security.
In practice, primary factors can encompass various forms such as email, SMS, or social login credentials, while secondary factors often involve mobile authenticator apps like Google Authenticator, Microsoft Authenticator, 2FAS (open-source) or physical security key like YubiKey. These secondary factors provide an added level of security by generating unique codes or prompts that must be validated alongside primary credentials.
Use Case
IAM
MFA is commonly used in customer-facing applications to ensure a high level of security for online services such as e-commerce platforms, mobile applications, and online banking. It significantly reduces the risk of unauthorized access, enhancing both security and user trust.
CIAM
In business-to-business (B2B) scenarios, MFA serves the needs of companies looking to streamline access for their partners or vendors. By integrating MFA with existing external systems such as Active Directory (AD) or LDAP, organizations can centralize account management and enforce stringent security measures. This facilitates secure collaboration while maintaining robust security protocols.
IdP Broker
MFA is also beneficial for Identity Provider (IdP) brokers, where it can be used to enhance the security of federated identities. By adding an extra layer of security, it ensures that users accessing services through federated login are thoroughly verified.
Pros & Cons
Pros
Enhanced Security: MFA significantly reduces the risk of unauthorized access by requiring multiple forms of verification.
Increased User Trust: By providing a higher level of security, MFA enhances user trust and confidence in the application.
Compliance: Helps meet regulatory requirements and industry standards for data protection and security.
Cons
Deteriorated User Experience: MFA introduce additional steps in the login process, which may affect user convenience.
Device or App availabilities: Users need devices with the App or a physical key to support the mfa, which may limit accessibility for some users.
Supported by Keycloak
Yes, natively supported and configurable on Managed Keycloak by Cloud-IAM.
Configuration
How to configure MFA on Keycloak
The following tutorial provides a quick example of configuring the "Multi-Factor Authentication with Google Authenticator" method to help you navigate Keycloak and test it with Google Authenticator. This tutorial does not cover all the necessary security best practices for a complete configuration.
Keycloak console - Realm setting
- From your keycloak console, select your realm from the dropdown list (here : tutorial-demo)
- Click on
Authentication - Then click on
Required actions - Enable
Configure OTPon *Set as default action
You have know configure Multi-Factor Authentication on your keycloak.
Keycloak console - Require OTP for existing user
- Click on
Users(1.) - Choose an existing user (here : user-demo)
- Select on required action list
Configure OTP(2. & 3.) - Then click on
Save
This existing user (here : user-demo) will be force to configure multi-factor authentication method.
Keycloak login screen - MFA first authentication or registration
During the initial authentication with MFA, the user entering their username and password, followed by the MFA page for registration.
- Open your Google Authenticator App on your mobile
- Click on
+ - Select
Scan a QR Code - On your Keycloak Login Screen fill in the password (6 character)
- Enter the name of your device
- Then click on
Submit
Keycloak login screen - MFA usual authentication
During a "usual" authentication with MFA registered, the user entering their username and password, followed by inputting the 6-character code generated by Google Authenticator.
