Keycloak Multi-Factor Authentication With Hardware Tokens

Nowadays, when hackers constantly look for vulnerabilities, while more and more aspects of life are being digitized, cyber security is of utmost importance and every app developer has to pay special attention to access management.

Keycloak is one of the most ingenious solutions created with app developers in mind. It provides an elegant and easy way for securing modern applications and services.

With Keycloak comes an easy to roll out Multi-Factor Authentication (MFA) with one-time passwords (OTP). By default, Keycloak multi-factor authentication supports time-based OTP (TOTP) delivered via an authenticator app only.

But for those who want to add an extra layer of security for their users, there is a perfect solution — reprogrammable token Protectimus Slim NFC. This token is, basically, programmed to be utilized as a replacement for the mobile authentication app.

Below we provide detailed instructions on:

Keycloak multi-factor authentication configuration

Configuring Keycloak multi-factor authentication is very easy and won’t take a lot of your time. Basically, all you need to do is enforce both your existing users and your new users to use one time passwords.

Enforcing existing user:

Go to your Keycloak admin area, find “Users” in the sidebar menu and select a user from your list. Then navigate to the “Details” tab and select “Configure OTP” in the “Required User Actions” section:

Keycloak multi factor authentication configuration enforcing existing user

Enforcing new users:

Select “Authentication” in the sidebar menu in the Keycloak admin area, then find the “Required action” tab, in the top row (“Configure OTP”) check “Default action”.

Keycloak multi factor authentication configuration enforcing new users

Keycloak two-factor authentication with hardware tokens

To hook up Protectimus Slim NFC to Keycloak the following OTP Policies have to be applied: SHA1, TOTP, 30 or 60 seconds period.

Find the “OTP Policy” tab in your “Authentication” section in the Keycloak admin area and adjust the required parameters as follows, don’t forget to click the “Save” button:

Keycloak two factor authentication with hardware tokens setup

Now your users will be able to follow these simple steps to add Protectimus Slim as the second factor when logging into your apps or services:

1. Download Protectimus TOTP Burner application.

Keycloak multi factor authentication with hardware token set up Protectimus Slim NFC download Protectimus TOTP Burner

2. Launch our application, click “Burn the seed”, then select the “Scan the QR code” option:

Keycloak multi factor authentication with hardware token set up Protectimus Slim NFC burn the seed scan the QR code

3. After completing the usual login process with username and password the user will have to set up the Mobile Authenticator. This is where they will get the QR code:

Keycloak multi factor authentication with hardware token set up Protectimus Slim NFC find QR code

4. After the code scanning is done the user needs to turn the token on, place it within the mobile’s NFC antenna range and click “Continue”:

Keycloak multi factor authentication with hardware token set up Protectimus Slim NFC burning seed

5. After the application provides the confirmation message, Protectimus Slim NFC can be used with your Keycloak protected application or service using Keycloak multi-factor authentication:

Keycloak multi factor authentication with hardware token set up Protectimus Slim NFC One time code entry field

Keycloak OTP via SMS, email, hard tokens, chatbots

Out of the box, Keycloak is an awesome solution for managing security and access. But integrating it with Protectimus multifactor authentication service will expand your protection options, provide more features and make your apps and services truly bulletproof.

With Protectimus you will be able to add any MFA method you wish: Keycloak two-factor authentication via email, hardware tokens with hardcoded keys (these are cheaper than the reprogrammable ones), Keycloak 2fa SMS, and even capability to deliver OTP via chatbots in various messengers.

But what’s more important, you’ll get a set of advanced Protectimus 2-factor authentication security features. Let’s take a closer look at the most important features Protectimus authentication solution has to offer.

Data signing (CWYS — Confirm What You See)

This is a very effective way to protect sensitive data from phishing software, Trojans and various other harmful software injections aimed to steal one-time passwords.

CWYS data signing feature generates OTPs in reliance with the actions the user is performing. This way, the generated OTP can only be used to sanction the one specific operation, which the user was doing when the OTP was generated. Even in a highly unlikely case the password is somehow intercepted, the criminals can’t use it to confirm an unauthorized operation, it simply won’t work.

Geographic filters

By implementing this ingenious filter you can both allow and block entry to users from particular countries of your choosing.

Time-based filters

This feature is great for granting access to corporate environments. With it, you can allow users access only at certain hours, for example — working hours. This way the corporate portal is protected against unauthorized access much better.

Adaptive authentication

This smart feature is great for those who need to constantly log in and out of a system and the access rules are not extremely strict, where some amount of trust is allowed. With this feature on, Protectimus will analyze the users’ environment (OS and language, browser name and current version, resolution of their screen, the presence of certain plugins etc) and will request OTP only if there’s a significant mismatch.

Role-based access policies

This allows for creating different groups of users and assigning different access protocols for these groups in the same Protectimus account. So you can have one type of access protection for end-users and a completely different one for administrators, for example.

Users self-service

By allowing users to handle their own tokens you take the extra work-load off the system administrator and save your funds.

As you can see, integrating Protectimus multifactor authentication service with Keycloak allows for a much more versatile approach to protecting and managing access to your apps and services.

Protectimus is available both as an On-Premise Platform and a Cloud Service, the integration is done via API.

The pricing will pleasantly surprise you, for example, you can have up to 10 users completely free of charge. To learn more about Protectimus pricing plans go here.

Read also:

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from our team.

You have Successfully Subscribed!

Author: Anna

If you have any questions about two-factor authentication and Protectimus products, ask Anna, and you will get an expert answer. She knows everything about one-time passwords, OTP tokens, 2FA applications, OATH algorithms, how two-factor authentication works, and what it protects against. Anna will explain the difference between TOTP, HOTP, and OCRA, help you choose a token for Azure MFA, and tell you how to set up two-factor authentication for Windows or Active Directory. Over the years with Protectimus, Anna has become an expert in cybersecurity and knows all about the Protectimus 2FA solution, so she will advise on any issue. Please, ask your questions in the comments.

Share This Post On

Submit a Comment

Your email address will not be published. Required fields are marked *

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from Protectimus blog.

You have successfully subscribed!

Share This