Common problems with Keycloak: Multi-factor authentication (MFA) not activated

After looking at how to avoid the single point of failure in the first instalment of our “Common problems with Keycloak” series, we are now looking at another essential foundation: multi-factor authentication.

Reading time: 3 minutes


The use of multi-factor authentication (MFA) in Keycloak

In our networked world, passwords alone are no longer enough to protect user data. Cybercriminals are constantly developing new methods to circumvent security measures, which poses enormous challenges for companies and their customers. Fortunately, we have technologies like multi-factor authentication (MFA) on our side that provide a stronger and smarter layer of protection, and are now required by regulations like the GDPR.


Introducing multi-factor authentication with Keycloak

We have good news: Setting up multi-factor authentication with Keycloak is relatively straightforward and can make your systems much more secure. In scenarios where Keycloak is used for direct user management or user management via a user federation with LDAP (e.g. Active Directory), MFA is almost child’s play to implement. Here is a brief look at how you can activate this additional security layer:

  • Customise the realm configuration: first navigate to Authentication -> Flows in the realm configuration. For the browser flow, for example, select the option “Browser – Conditional OTP” and set this to “Required”.
  • Activate the ‘Configure OTP’ action: In the next step, you must mark the “Configure OTP” action both “enable” and as “Default Action” in the menu under “Required Actions”.

These two simple steps will allow your users to register the second factor on their mobile phone using apps such as FreeOTP or Google Authenticator (or other compatible apps) and use it for future authentications.


Advanced security options

For those who want to go one step further, Keycloak offers the option to further strengthen login security. Using Keycloak Extensions, you can create additional filters that block logins from certain geographic regions or IP ranges, for example, or only allow logins at selected times. These options offer an excellent opportunity to further personalise and strengthen your security by determining exactly who can access your systems, when and from where.



The introduction of multi-factor authentication is essential in today’s world to meet security requirements and effectively protect both personal and business data. Keycloak makes this process accessible with a few simple steps, but also offers advanced options for those who want a higher level of control and security.

If you have any questions about implementing multi-factor authentication in Keycloak or need assistance in further securing your systems, don’t hesitate to contact us. In the next post in our blog series “Common problems with Keycloak”, we will go into more detail about the technical aspects of Keycloak. Stay tuned!

Weitere interessante Beiträge

WordPress theme development by WordPress service provider aceArt.