Enable two-factor authentication in Keycloak for OSP

You can enable two-factor authentication (2FA) in Keycloak using One-Time Password (OTP) for enhanced security in OSP integration. This topic explains how to configure OTP-based 2FA for users authenticating through Keycloak.

Note: Before enabling 2FA, ensure that you have set up OSP-Keycloak integration. For details on OSP setup and configuration, see the OSP documentation.

Step 1: Enable OTP setup for users

Configure Keycloak to require OTP configuration as a required action for all users.

To enable OTP setup for users:

  1. Log in to the Keycloak Administration Console.

  2. Navigate to Authentication > Required Actions.

  3. Find Configure OTP in the list of required actions.

  4. Set Enabled to ON.

  5. Set Default Action to ON.

When you set Configure OTP as a default action, any user who has not configured OTP will be forced to set it up during their next login.

Back to top

Step 2: Force OTP setup for a specific user

You can require OTP setup for individual users without enabling it globally.

To force OTP setup for a specific user:

  1. In the Keycloak Administration Console, navigate to Users.

  2. Search for and select the user.

  3. Open the Required User Actions tab.

  4. Add Configure OTP to the user.

  5. Click Save.

This ensures that the user must set up OTP at their next login.

Back to top

Step 3: Configure OTP type and policy

Set the OTP type and policy to ensure compatibility with authenticator applications.

To configure OTP type and policy:

  1. In the Keycloak Administration Console, navigate to Authentication > OTP Policy.

  2. Set OTP Type to Time-Based (TOTP).

  3. Configure or keep the default values for the following settings:

    • Number of Digits: 6

    • Time Period: 30 seconds

  4. Click Save.

This configuration makes Keycloak generate TOTP codes that are compatible with Google Authenticator and other standard authenticator applications.

Back to top

Step 4: User login and 2FA setup

When a user logs in for the first time after OTP is enabled, they will be prompted to set up two-factor authentication.

To complete the user 2FA setup:

  1. The user navigates to the OSP application and initiates login.

  2. The user enters their username and password.

  3. Keycloak displays the Configure OTP screen with a QR code.

  4. The user scans the QR code using an authenticator application such as Google Authenticator, Microsoft Authenticator, or Authy.

  5. The user enters the 6-digit code displayed in the authenticator application.

  6. The user clicks Submit.

After successful configuration, the user will be required to enter the 6-digit OTP code from their authenticator application each time they log in.

Back to top

See also: