Multi-Factor Authentication (MFA)

Overview

Multi-factor authentication (MFA) serves as a fundamental security measure designed to fortify account protection. By integrating an additional layer of authentication, MFA requires verification of both primary and secondary factors to grant access to an account. Typically, the primary factor revolves around an email address, while the secondary factor involves a phone number or a mobile device authenticator. The premise behind MFA is that compromising both factors is necessary to breach an account, thus significantly bolstering security.

In practice, primary factors can encompass various forms such as email, SMS, or social login credentials, while secondary factors often involve mobile authenticator apps like Google Authenticator, Microsoft Authenticator, 2FAS (open-source) or physical security key like YubiKey. These secondary factors provide an added level of security by generating unique codes or prompts that must be validated alongside primary credentials.

Multi-Factor Authentication (MFA)

Use Case

IAM

MFA is commonly used in customer-facing applications to ensure a high level of security for online services such as e-commerce platforms, mobile applications, and online banking. It significantly reduces the risk of unauthorized access, enhancing both security and user trust.

CIAM

In business-to-business (B2B) scenarios, MFA serves the needs of companies looking to streamline access for their partners or vendors. By integrating MFA with existing external systems such as Active Directory (AD) or LDAP, organizations can centralize account management and enforce stringent security measures. This facilitates secure collaboration while maintaining robust security protocols.

IdP Broker

MFA is also beneficial for Identity Provider (IdP) brokers, where it can be used to enhance the security of federated identities. By adding an extra layer of security, it ensures that users accessing services through federated login are thoroughly verified.

Pros & Cons

Pros

• Enhanced Security: MFA significantly reduces the risk of unauthorized access by requiring multiple forms of verification.

• Increased User Trust: By providing a higher level of security, MFA enhances user trust and confidence in the application.

• Compliance: Helps meet regulatory requirements and industry standards for data protection and security.

Cons

• Deteriorated User Experience: MFA introduce additional steps in the login process, which may affect user convenience.

• Device or App availabilities: Users need devices with the App or a physical key to support the mfa, which may limit accessibility for some users.

Supported by Keycloak

Yes, natively supported and configurable on Managed Keycloak by Cloud-IAM.

Configuration

How to configure OTP-Based MFA in Keycloak for new users using Google Authenticator

This step-by-step tutorial guides how to configure Multi-Factor Authentication (MFA) using Google Authenticator in Keycloak. It’s designed to help you quickly set up and test OTP-based authentication for new users in one of the realms of your Keycloak deployment.

In this guide, we assume that your Keycloak environment either has no users yet or that MFA is not required for existing users. Only newly registered users will be prompted to configure OTP via an authenticator app like Google Authenticator during their first login.

This tutorial does not cover all the necessary security best practices for a complete configuration.

Keycloak console - Realm setting

1. Login to your Keycloak as an admin
2. From your keycloak console, select your realm from the dropdown list (here : tutorial-demo)
3. Click on Authentication
4. Then click on Required actions
5. Enable Configure OTP on Set as default action section.

Keycloak Console - Realm setting

Conclusion - Enforcing MFA for new users

The all new users will now be forced to configure Multi-Factor Authentication (MFA). They will be prompted to register an OTP device, such as Google Authenticator.

Once MFA is configured, users must enter a 6-digit OTP code during each login.

How to configure OTP-Based MFA in Keycloak user per users using Google Authenticator

This step-by-step guide explains how to set up OTP-based Multi-Factor Authentication (MFA) in Keycloak for individual users using Google Authenticator. It is designed to help you enable and test MFA for a specific user in one of your Keycloak realms.

This tutorial assumes that your Keycloak instance already has at least one user. Only the configured user will be prompted to set up OTP and during their next login using an authenticator app. To enable OTP for other users with this method repeat this process or apply it during future enrollments byfollowing this tutorial.

This tutorial does not cover all the necessary security best practices for a complete configuration.

Keycloak console - Require OTP for existing user

1. Login to your Keycloak as an admin
2. Select the realm where the user is located
3. Navigate to Users section (1.)
4. Find and select the user you want to enable MFA for (here : user-demo)
5. In the Required user actions dropdown list, choose Configure OTP (2. & 3.)
6. Click Save to confirm and apply changes

Keycloak Console - Require OTP for existing user

Conclusion - Enforcing MFA for user per user

The selected user (e.g., user-demo) will now be forced to configure Multi-Factor Authentication (MFA) at their next login. They will be prompted to register an OTP device, such as Google Authenticator.

Once MFA is configured, the user must enter a 6-digit OTP code during each login.

How to configure OTP-Based MFA in Keycloak for users by role using Google Authenticator

This step-by-step guide shows how to enable OTP-based Multi-Factor Authentication (MFA) in Keycloak for users with a specific role using Google Authenticator. It helps you activate MFA for all users assigned to a particular role in your Keycloak realm, using new authentication browser flow.

This tutorial assumes your Keycloak instance has users assigned to the target role, for the example the admin role from the master realm will be used. Only users with the configured role will be prompted to set up OTP during their next login using an authenticator app. This method can be apply with a manually assigned role or as part of a user group inheriting a role.

This tutorial does not cover all the necessary security best practices for a complete configuration.

Keycloak console - Duplicate browser flow

1. Login to your Keycloak as an admin
2. Select the realm that contains the target role
3. Navigate to Authentication (1.)
4. Select Browser from the list (2.)
5. Click on Action and choose Duplicate (3.)
6. Name the new browser flow like browser - admin OTP flow

Keycloak Console - Duplicate browser flow

Keycloak console - Configure browser flow

1. Delete the line browser - admin OTP flow Browser - Conditional OTP by clicking on 🗑️
2. Add a new execution step :

• Click ＋ from the line browser - admin OTP flow form
• Select Add Execution
• From the list select Conditional OTP form, then click Add
• Directly change its status from Disable to Required

Keycloak Console - Configure browser flow

Keycloak console - Configure conditional OTP form based on Role

1. Select the ⚙️ next to Conditional OTP form
2. Assign an Alias like mandatory OTP for admin (1.)
3. On Force OTP for Role click on Select Role
4. Select the filter Filter by realm role
5. Click on the role here admin (description : 'role_admin') then click Assign (2.)
6. Then Click Save

Keycloak Console - Configure conditional OTP form based on Role

Keycloak console - Bind the new created browser flow

1. Click on Action and select Bind the flow
2. From the list choose Browser flow and click on Save
3. Navigate to Authentication
4. Verify that the flow is bind by browser - admin OTP flow should appear on top of the list with a ✅ on *Used by section.

Keycloak Console - Bind the new created browser flow

Conclusion - Enforcing MFA for Users by Role

The selected role (e.g., admin) will now be forced to configure Multi-Factor Authentication (MFA) at their next login. They will be prompted to register an OTP device, such as Google Authenticator.

Once MFA is configured, all users with this role must enter a 6-digit OTP code during each login.

MFA Initialization and Usage for the user

Keycloak user login screen - MFA first authentication or registration

During the initial MFA authentication, the new user enters their username and password, followed by a prompt to register for MFA.

1. Download and Open your Google Authenticator App on your mobile
2. Click on +
3. Select Scan a QR Code
4. On your Keycloak Login Screen fill in the password (6 character)
5. Enter the name of your device
6. Then click on Submit

Keycloak login screen - MFA first authentication or registration

Keycloak login screen - MFA usual authentication

During a typical MFA-authenticated login, the user enters their username and password, then inputs the 6-digit code generated by Google Authenticator.

Keycloak login screen - MFA usual authentication

Resources

• Deploy my Keycloak on Cloud-IAM
• RedHat Documentation