Nowadays, when hackers constantly look for vulnerabilities, while more and more aspects of life are being digitized, cyber security is of utmost importance and every app developer has to pay special attention to access management. Keycloak is one of the most ingenious solutions created with app developers in mind. It provides an elegant and easy way for securing modern applications and services. With Keycloak comes an easy to roll out Multi-Factor Authentication (MFA) with one-time passwords (OTP). By default, Keycloak multi-factor authentication supports time-based OTP (TOTP) delivered via an authenticator app only. But for those who want to add an extra layer of security for their users, there is a perfect solution — reprogrammable token Protectimus Slim NFC. This token is, basically, programmed to be utilized as a replacement for the mobile authentication app. Buy hardware token for Keycloak MFA Below we provide detailed instructions on: how to configure Keycloak MFAhow your users will set up their hardware Keycloak token Protectimus Slim NFChow to run Keycloak 2FA with other ways of authentication (SMS, email, hardware tokens, chatbots) Keycloak multi-factor authentication configuration Configuring Keycloak multi-factor authentication is very easy and won’t take a lot of your time. Basically, all you need to do is enforce both your existing users and your new users to use one time passwords. Enforcing existing user: Go to your Keycloak admin area, find “Users” in the sidebar menu and select a user from your list. Then navigate to the “Details” tab and select “Configure OTP” in the “Required User Actions” section: Enforcing new users: Select “Authentication” in the sidebar menu in the Keycloak admin area, then find the “Required action” tab, in the top row (“Configure OTP”) check “Default action”. Keycloak two-factor authentication with hardware tokens To hook up Protectimus Slim NFC to Keycloak the following OTP Policies have to be applied: SHA1, TOTP, 30 or 60 seconds period. Find the “OTP Policy” tab in your “Authentication” section in the Keycloak admin area and adjust the required parameters as follows, don’t forget to click the “Save” button: You can read more on the OTP Policies in the official Keycloak documentation. Now your users will be able to follow these simple steps to add Protectimus Slim as the second factor when logging into your apps or services: 1. Download Protectimus TOTP Burner application. 2. Launch our application, click “Burn the seed”, then select the “Scan the QR code” option: 3. After completing the usual login process with username and password the user will have to set up the Mobile Authenticator. This is where they will get the QR code: 4. After the code scanning is done the user needs to turn the token on, place it within the mobile’s NFC antenna range and click “Continue”: 5. After the application provides the confirmation message, Protectimus Slim NFC can be used with your Keycloak protected application or service using Keycloak multi-factor authentication: Keycloak OTP via SMS, email, hard tokens, chatbots Out of the box, Keycloak is an awesome solution for managing security and access. But integrating it with Protectimus multifactor authentication service will expand your protection options, provide more features and make your apps and services truly bulletproof. With Protectimus you will be able to add any MFA method you wish: Keycloak two-factor authentication via email, hardware tokens with hardcoded keys (these are cheaper than the reprogrammable ones), Keycloak 2fa SMS, and even capability to deliver OTP via chatbots in various messengers. But what’s more important, you’ll get a set of advanced Protectimus 2-factor authentication security features. Let’s take a closer look at the most important features Protectimus authentication solution has to offer. Data signing (CWYS — Confirm...