Keycloak MFA using Mobile Authenticator Setup

Bhuvanesh Kamaraj
3 min readFeb 28, 2024

--

Introduction

This document provides a technical guide for setting up Multi-Factor Authentication (MFA) using Mobile Authenticators in Keycloak. This built-in feature supports various apps such as Google Authenticator, Microsoft Authenticator, and Free OTP. The configuration involves defining policies, enabling OTP (One-Time Password) settings, and implementing authentication flows for individual users or user groups.

Authentication Flow:

OTP Policy Configuration

  1. Update OTP Policy:
  • Navigate to Realm -> Authentication -> Policies tab.
  • Configure the OTP Policy as per organizational requirements.

OTP Configuration and Authentication Flow

  1. Enable OTP Configuration:
  • Navigate to Realm -> Authentication -> Required actions tab.
  • Enable “Configure OTP.”

2. Authentication for Individual User or User Group:

  • Create a role named “require_otp_role” in Realm -> Realm role/Client role.
  • Duplicate the “Browser” flow in Realm -> Authentication -> Flows -> click "Browser" -> Action -> Duplicate. Name it "browser_otp_flow."
  • Under “browser_otp_flow”:
  • Delete the “browser_otp_flow — Conditional OTP” form.
  • Add a step: “Conditional OTP Form” to “browser_otp_flow forms.”
  • Mark “Conditional OTP Form” as required.
  • Configure settings:
  • Provide an appropriate alias name.
  • Force OTP for Role: Select Role as “require_otp_role.”
  • Save the settings.

3. Bind Flow to Action:

  • On “browser_otp_flow,” go to Action -> Bind flow.
  • Choose Binding Type: “Browser flow” and save.
  • “browser_otp_flow” becomes the default browser flow.

4. Role Assignment:

  • Assign “require_otp_role” to the desired user or user group.

5. User Authentication:

  • Users with the “require_otp_role” will be prompted to enter OTP for authentication.
  • Note: Remove required actions like “Configure OTP” from the user, as the role dictates the authentication flow in this case.

6. Initial Login Setup:

  • When a user logs in for the first time after this change, they will go through the initial OTP setup.

7. Subsequent Logins:

  • After the initial setup, subsequent logins will require the user to enter a new OTP for authentication.

This comprehensive setup ensures that MFA using Mobile Authenticators is configured with specific policies and tailored authentication flows for enhanced security. Adjust the configurations based on organizational needs and security considerations.

--

--

Bhuvanesh Kamaraj

Tech aficionado turning complexities into solutions. A coding wizard and innovation enthusiast ready to shape the digital future. Let's create magic!