Configure Multifactor Authentication (MFA) in Keycloak

Keycloak works withs multifactor authentication (MFA) with One-Time Password (OTP) tokens. This section describes a basic configuration that requires users to configure an OTP device (for example: Oracle Authenticator, FreeOTP, or Google Authenticator) and to provide OTP codes when signing in.

Configure OTP in the authentication flow

1. Sign in to the Keycloak administration console: https://manager-fqdn/ovirt-engine-auth/.

2. Select Authentication, then select the Flows tab.

3. Find Browser – Conditional OTP and change the requirement from Conditional to Required.

4. Select the Required Actions tab. Enable Configure OTP and set it as a Default Action so new users are required to configure OTP during first sign-in.

Require OTP for existing users (optional)

To require OTP for a user that already exists in Keycloak:

1. Select Users, find the user, and open the user details.

2. On the Details tab, under Required User Actions, add Configure OTP.

User sign-in experience

When a user signs in to the Administration Portal, the user is prompted to configure an OTP device. The user scans a QR code using an authenticator application and completes the setup. Later sign-ins require an OTP code.

Reset an OTP credential

If a user must reset OTP (for example, when replacing a phone), you can remove the OTP credential in Keycloak.

1. In Keycloak, open Users, select the user, and select the Credentials tab.

2. In Manage Credentials, delete the OTP credential.