search

eosc-kc / keycloak

Open Source Identity and Access Management For Modern Applications and Services
https://www.keycloak.org
Apache License 2.0
4 stars 4 forks source link

two-factor authentication #82

Open cgeorgilakis opened 3 years ago

cgeorgilakis commented 3 years ago

Keycloak supports two-factor authentication. For two factor authedicator it supports FreeOTP or Google Authenticator One-Time Password generator. Documentation : https://www.keycloak.org/docs/latest/server_admin/index.html#otp-policies .

Investigate if implementation is sufficient.

cgeorgilakis commented 3 years ago

You can create your own authedication flow. Steps are executed in the order they present in Authntication flow. If authedication flow contains required steps all required must be passed. Otherwise at least one Alternative flow must be passed. Moreover, conditional flows exists. If condition is true, this flow will be required. Also there is a tab Required Actions for configure required actions for every created user.

Possible Flows

In a client you can overide default browser flow and direct grant flow for OIDC Client. Moreover, for each IdP admin must configure First Login Flow ( default to first login flow) and optional Post Login Flow for additional actions after user login to this Identity Provider.

Each user can congigure FreeOTP or Google Authenticator One-Time Password generator as a otp Authenticator Application from account console. If this is mandatory for a client, user will ask to create it before login ( after adding credentials). For doing it we can make a 'browser 2' authedication copying 'browser' authedication and making Browser - Conditional OTP execution from conditional to required. In default browser authedication - default also for clients, otp is conditional. This mean that if user have configured OTP, after successfully adding his credentials Keycloak will ask to write otp code. Otp code is produced from the configured otp Authenticator Application. User can have multiple configured otp Authenticator Application by giving a device name together with otp.

If we want something more complex we have many capabilities with Authedication menu. However, we should do such a configuration carefully in order our flow to work correctly! In default flows you can only change some executions requirements only. In each flow we can also configured password policies , OTP policy and required actions.

Finally, admin can add in an User as required action to configure OTP or send him an email for changing it.

cgeorgilakis commented 3 years ago

https://github.com/keycloak/keycloak-community/blob/master/design/multi-factor-admin-and-step-up.md