<\/p>\n\n\n\n
With Keycloak comes an easy to roll out Multi-Factor Authentication (MFA) with one-time passwords (OTP). By default, Keycloak multi-factor authentication supports time-based OTP (TOTP) delivered via an authenticator app<\/a> only. But for those who want to add an extra layer of security for their users, there is a perfect solution \u2014 reprogrammable token Protectimus Slim NFC. This token is, basically, programmed to be utilized as a replacement for the mobile authentication app.<\/p>\n\n\n\n Below we provide detailed instructions on:<\/p>\n\n\n <\/a><\/p>\n\n\n Configuring Keycloak multi-factor Go to your Keycloak admin area, find \u201cUsers\u201d in the sidebar menu and select a user from your list. Then navigate to the \u201cDetails\u201d tab and select \u201cConfigure OTP\u201d in the \u201cRequired User Actions\u201d section:<\/p>\n\n\n <\/p>\n\n\n\n <\/p>\n\n\n\n Select \u201cAuthentication\u201d in the sidebar menu in the Keycloak admin area, then find the \u201cRequired action\u201d tab, in the top row (\u201cConfigure OTP\u201d) check \u201cDefault action\u201d.<\/p>\n\n\n <\/a><\/p>\n\n\n <\/p>\n\n\n\n <\/p>\n\n\n\n To hook up Protectimus Slim NFC<\/a> to Keycloak the following OTP Policies have to be applied: SHA1, TOTP, 30 or 60 seconds period. Find the \u201cOTP Policy\u201d tab in your \u201cAuthentication\u201d section in the Keycloak admin area and adjust the required parameters as follows, don\u2019t forget to click the \u201cSave\u201d button:<\/p>\n\n\n <\/p>\n\n\n\n <\/p>\n\n\n\n Now your users will be able to follow these simple steps to add Protectimus Slim as the second factor when logging into your apps or services: 1. Download Protectimus TOTP Burner<\/a> application.<\/p>\n\n\n\n <\/p>\n\n\n\n <\/p>\n\n\n\n 2. Launch our application, click \u201cBurn the seed\u201d, then select the \u201cScan the QR code\u201d option:<\/p>\n\n\n\n <\/p>\n\n\n\n <\/p>\n\n\n\n 3. After completing the usual login process with username and password the user will have to set up the Mobile Authenticator. This is where they will get the QR code:<\/p>\n\n\n <\/p>\n\n\n\n <\/p>\n\n\n\n 4. After the code scanning is done the user needs to turn the token on, place it within the mobile\u2019s NFC antenna range and click \u201cContinue\u201d:<\/p>\n\n\n\n <\/p>\n\n\n\n <\/p>\n\n\n\n 5. After the application provides the confirmation message, Protectimus Slim NFC can be used with your Keycloak protected application or service using Keycloak multi-factor authentication:<\/p>\n\n\n <\/a><\/p>\n\n\n <\/p>\n\n\n\n <\/p>\n\n\n\n Out of the box, Keycloak is an awesome solution for managing security and access. But integrating it with Protectimus multifactor authentication service<\/a> will expand your protection options, provide more features and make your apps and services truly bulletproof. With Protectimus you will be able to add any MFA method<\/a> you wish: Keycloak two-factor authentication via email, hardware tokens with hardcoded keys (these are cheaper than the reprogrammable ones), Keycloak 2fa SMS, and even capability to deliver OTP via chatbots in various messengers. But what\u2019s more important, you\u2019ll get a set of advanced Protectimus 2-factor authentication security features. Let\u2019s take a closer look at the most important features Protectimus authentication solution has to offer<\/a>. This is a very effective way to protect sensitive data from phishing software, Trojans and various other harmful software injections aimed to steal one-time passwords. CWYS data signing feature<\/a> generates OTPs in reliance By implementing this ingenious filter you can both allow and block entry to users from particular countries of your choosing. This feature is great for granting access to corporate environments. With it, you can allow users access only at certain hours, for example \u2014 working hours. This way the corporate portal is protected against unauthorized access much better. This smart feature is great for those who need to constantly log in and out of a system and the access rules are not extremely strict, where some amount of trust is allowed. With this feature on, Protectimus will analyze the users\u2019 environment (OS and language, browser name and current version, resolution of their screen, the presence of certain plugins etc) and will request OTP only if there\u2019s a significant mismatch. This allows for creating different groups of users and assigning different access protocols for these groups in the same Protectimus account. So you can have one type of access protection for end-users and a completely different one for administrators, for example. By allowing users to handle their own tokens you take the extra work-load off the system administrator and save your funds. As you can see, integrating Protectimus multifactor authentication service with Keycloak allows for a much more versatile approach to protecting and managing access to your apps and services. Protectimus is available both as an On-Premise Platform and a Cloud Service, the integration is done via API. The pricing will pleasantly surprise you, for example, you can have up to 10 users completely free of charge. To learn more about Protectimus pricing plans go here<\/a>. Nowadays, when hackers constantly look for vulnerabilities, while more and more aspects of life are being digitized, cyber security is of utmost importance and every app developer has to pay special attention to access management. Keycloak is one of the most ingenious solutions created with app developers in mind. It provides an elegant and easy […]<\/p>\n","protected":false},"author":6,"featured_media":5022,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_uf_show_specific_survey":0,"_uf_disable_surveys":false,"footnotes":""},"categories":[9,15],"tags":[1350,120,194,335,421,139,99],"class_list":["post-3933","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-protectimus-products","category-rd","tag-keycloak-en","tag-multifactor-authentication","tag-protectimus-en","tag-protectimus-slim-nfc-en","tag-setup-guides","tag-tokens","tag-two-factor-authentication"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.protectimus.com\/blog\/wp-json\/wp\/v2\/posts\/3933","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.protectimus.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.protectimus.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.protectimus.com\/blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/www.protectimus.com\/blog\/wp-json\/wp\/v2\/comments?post=3933"}],"version-history":[{"count":18,"href":"https:\/\/www.protectimus.com\/blog\/wp-json\/wp\/v2\/posts\/3933\/revisions"}],"predecessor-version":[{"id":9120,"href":"https:\/\/www.protectimus.com\/blog\/wp-json\/wp\/v2\/posts\/3933\/revisions\/9120"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.protectimus.com\/blog\/wp-json\/wp\/v2\/media\/5022"}],"wp:attachment":[{"href":"https:\/\/www.protectimus.com\/blog\/wp-json\/wp\/v2\/media?parent=3933"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.protectimus.com\/blog\/wp-json\/wp\/v2\/categories?post=3933"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.protectimus.com\/blog\/wp-json\/wp\/v2\/tags?post=3933"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
<\/p>\n\n\n\n\n
Keycloak multi-factor authentication configuration<\/strong><\/h2>\n\n\n\n
<\/p>\n\n\n\nEnforcing existing user:<\/h3>\n\n\n\n
![\"Keycloak](\"https:\/\/www.protectimus.com\/blog\/wp-content\/uploads\/2019\/03\/Keycloak-multi-factor-authentication-configuration-enforcing-existing-users-1.png\")
<\/figure>\n<\/div>\n\n\nEnforcing new users:<\/h3>\n\n\n\n
![\"Keycloak](\"https:\/\/www.protectimus.com\/blog\/wp-content\/uploads\/2019\/03\/Keycloak-multi-factor-authentication-configuration-enforcing-new-users.png\")
<\/figure><\/div>\n\n\n\nKeycloak two-factor authentication with hardware tokens<\/strong><\/h2>\n\n\n\n
<\/p>\n\n\n\n![\"Keycloak](\"https:\/\/www.protectimus.com\/blog\/wp-content\/uploads\/2019\/03\/Keycloak-two-factor-authentication-hardware-tokens-setup-1.png\")
<\/figure>\n<\/div>\n\n\n
<\/p>\n\n\n\n![\"Keycloak](\"https:\/\/www.protectimus.com\/blog\/wp-content\/uploads\/2019\/03\/Keycloak-two-factor-authentication-hardware-tokens-setup-Protectimus-TOTP-Burner-app-download.png\")
<\/figure><\/div>\n\n\n\n![\"Keycloak](\"https:\/\/www.protectimus.com\/blog\/wp-content\/uploads\/2019\/03\/Keycloak-two-factor-authentication-hardware-tokens-setup-TOTP-Burner-step1-step2.png\")
<\/figure><\/div>\n\n\n\n![\"Keycloak](\"https:\/\/www.protectimus.com\/blog\/wp-content\/uploads\/2019\/03\/Keycloak-two-factor-authentication-hardware-tokens-setup-QR-code-1.png\")
<\/figure>\n<\/div>\n\n\n![\"Keycloak](\"https:\/\/www.protectimus.com\/blog\/wp-content\/uploads\/2019\/03\/Keycloak-two-factor-authentication-hardware-tokens-setup-TOTP-Burner-step3.png\")
<\/figure><\/div>\n\n\n\n![\"Keycloak](\"https:\/\/www.protectimus.com\/blog\/wp-content\/uploads\/2019\/03\/Keycloak-two-factor-authentication-hardware-tokens-setup-one-time-code-entry-field.png\")
<\/figure><\/div>\n\n\n\nKeycloak OTP via SMS, email, hard tokens, chatbots<\/strong><\/h2>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\nData signing (CWYS \u2014 Confirm What You See)
<\/h3>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\nGeographic filters
<\/h3>\n\n\n\n
<\/p>\n\n\n\nTime-based filters
<\/h3>\n\n\n\n
<\/p>\n\n\n\nAdaptive authentication
<\/h3>\n\n\n\n
<\/p>\n\n\n\nRole-based access policies
<\/h3>\n\n\n\n
<\/p>\n\n\n\nUsers self-service
<\/h3>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\nRead also:<\/strong><\/h2>\n\n\n\n
\n