IAM - Inero Software - Software Consulting

Configuring Password Policies in Keycloak

Marceli Formela — Thu, 20 Mar 2025 12:10:07 +0000

Effective password management is an important aspect of securing user accounts, and Keycloak provides tools to enforce strong authentication policies. By configuring password rules, administrators can ensure that credentials meet security standards, reducing the risk of unauthorized access. The framework offers flexible options, allowing you to set requirements for password length, complexity, expiration, and reuse prevention.

In this blog, we will first take a look at the built-in Keycloak mechanisms for password policy management. Then, we will explore the possibilities for customizing these mechanisms to better fit specific requirements.

Built-in policies

These built-in password policies in Keycloak allow administrators to enforce security rules to strengthen user authentication. Here’s a brief description of each policy:

Expire Password – Forces users to change their password after a specified period.
Hashing Iterations – Determines the number of iterations for password hashing to enhance security.
Not Recently Used – Prevents users from reusing their recent passwords.
Password Blacklist – Blocks specific passwords from being used, typically to prevent weak or common passwords.
Regular Expression – Allows enforcing a custom regex pattern for password validation.
Minimum Length – Sets the minimum number of characters required in a password.
Not Username – Prevents users from setting their username as a password.
Not Email – Prevents users from using their email address as a password.
Not Recently Used (In Days) – Prevents password reuse within a specified number of days.
Not Contains Username – Ensures the password does not include the username as part of it.
Special Characters – Requires passwords to contain at least one special character.
Uppercase Characters – Enforces at least one uppercase letter in the password.
Lowercase Characters – Requires at least one lowercase letter in the password.
Digits – Ensures the password includes at least one numeric digit.
Maximum Authentication Age – Sets a limit on how long authentication remains valid before requiring reauthentication.
Hashing Algorithm – Specifies the hashing algorithm used for password encryption.
Maximum Length – Defines the maximum allowable length for passwords.

Implementing custom policy using SPI

To implement a custom password policy in Keycloak, we should use the Service Provider Interface (SPI).

In this case, we define a custom password policy provider by implementing the PasswordPolicyProviderFactory interface:

				
					public class PasswordCustomPolicyProviderFactory implements PasswordPolicyProviderFactory {

	public static final Integer DEFAULT_VALUE = 1;
	public static final String MIN_PASSWORD_LIFETIME_ID = "minimumPasswordLifetime";

	@Override
	public String getId() {
    	return MIN_PASSWORD_LIFETIME_ID;
	}

	@Override
	public PasswordPolicyProvider create(KeycloakSession session) {
    	return new PasswordCustomPolicyProvider(session);
	}
[...]
}

Factory instantiates and returns a new instance of PasswordCustomPolicyProvider, which contains the actual validation logic for enforcing the minimum password lifetime. The MIN_PASSWORD_LIFETIME_ID constant serves as the unique identifier for this custom policy and DEFAULT_VALUE constant represents the default minimum password lifetime (in days) if no custom value is configured via admin console.

				
					public class PasswordCustomPolicyProvider implements PasswordPolicyProvider {
np.
   private static final String POLICY_VIOLATION_MESSAGE = "passwordLifetimeViolation";


   private final KeycloakSession keycloakSession;

   public PasswordCustomPolicyProvider(KeycloakSession keycloakSession) {
   	this.keycloakSession = keycloakSession;
   }


   @Override
   public PolicyError validate(RealmModel realm, UserModel user, String password) {
   	PasswordCredentialProvider credentialProvider = new PasswordCredentialProvider(keycloakSession);
   	PasswordCredentialModel credentialModel = credentialProvider.getPassword(realm, user);

   	if (credentialModel == null) {
       	return null;
   	}

   	long passwordCreationTime = credentialModel.getCreatedDate();
   	long currentTime = Time.currentTimeMillis();
   	long elapsedTime = currentTime - passwordCreationTime;

   	PasswordPolicy passwordPolicy = realm.getPasswordPolicy();
   	int minPasswordLifetimeDays = passwordPolicy.getPolicyConfig(PasswordCustomPolicyProviderFactory.MIN_PASSWORD_LIFETIME_ID);
   	long minPasswordLifetimeMillis = TimeUnit.DAYS.toMillis(minPasswordLifetimeDays);
   	return elapsedTime >= minPasswordLifetimeMillis ? null : new PolicyError(POLICY_VIOLATION_MESSAGE, minPasswordLifetimeDays);
   }
[...]
}

The PasswordCredentialProvider can access the stored password creation timestamp via the PasswordCredentialModel instance. It then computes elapsedTime as the difference between this timestamp and the current system time, representing how long the password has been in use.

Next, the PasswordPolicy object retrieves the password policy for the realm, extracts the minimum required password lifetime in days (minPasswordLifetimeDays), and converts it to milliseconds (minPasswordLifetimeMillis). The policy ensures that the password has been in use for at least the required duration. If this requirement is not met, a PolicyError is returned. The error message key is stored in POLICY_VIOLATION_MESSAGE, and its content can be customized within our theme. This allows us to define a user-friendly message that informs the user why the password change is restricted and how much time remains before a new password can be set.

In this way, we can define custom password policies in Keycloak when the default set of policies is insufficient for specific requirements. This flexibility allows for more granular control over user authentication and password management when we need it.

Customizing UI to improve user experience

By default, Keycloak displays unsatisfied password policies individually on the login page. This can be problematic for many users, especially when there are multiple policies that are not met. It can lead to a cluttered interface and make it harder for users to understand all the password requirements at once. To address this, you can customize the login screen to display a collective list of all unsatisfied password policies together, providing a clearer and more user-friendly experience.

				
					public class CustomFreeMarkerLoginFormsProvider extends FreeMarkerLoginFormsProvider {
/**
* Mapping between password policy provider IDs and custom messages
* Note: contains only standard policies that must be displayed in the UI
*/
private final Map<String, String> policyPropertyMessages = Map.of(
LengthPasswordPolicyProviderFactory.ID, MINIMUM_LENGTH_MESSAGE,
MaximumLengthPasswordPolicyProviderFactory.ID, MAXIMUM_LENGTH_MESSAGE,
DigitsPasswordPolicyProviderFactory.ID, MINIMUM_DIGIT_MESSAGE,
SpecialCharsPasswordPolicyProviderFactory.ID, MINIMUM_SPECIAL_CHAR_MESSAGE,
UpperCasePasswordPolicyProviderFactory.ID, MINIMUM_UPPERCASE_MESSAGE,
LowerCasePasswordPolicyProviderFactory.ID, MINIMUM_LOWERCASE_MESSAGE,
NotUsernamePasswordPolicyProviderFactory.ID, NOT_USERNAME_MESSAGE,
NotContainsUsernamePasswordPolicyProviderFactory.ID, NOT_CONTAINS_USERNAME_MESSAGE,
NotEmailPasswordPolicyProviderFactory.ID, NOT_EMAIL_MESSAGE
);

[...]

@Override
protected void createCommonAttributes(Theme theme, Locale locale, Properties messagesBundle,
UriBuilder baseUriBuilder, LoginFormsPages page) {
super.createCommonAttributes(theme, locale, messagesBundle, baseUriBuilder, page);
if (realm != null && realm.getPasswordPolicy() != null) {
attributes.put("passwordPolicies", getPasswordPolicyMessages(realm.getPasswordPolicy(), messagesBundle));
}}

[...]

private Map<String, String> getPasswordPolicyMessages(PasswordPolicy passwordPolicy, Properties messagesBundle) {
Map<String, String> policyMessages = new HashMap<>();
PasswordPolicy.Builder builder = passwordPolicy.toBuilder();
for (String policyName : passwordPolicy.getPolicies()) {
var value = builder.get(policyName);
String message = extractPolicyMessage(policyName, value, messagesBundle);
if (message != null) {
policyMessages.put(policyName, message);
}
}
return policyMessages;
}

[...]

/**
* Extracts a message for a given password policy from the messages bundle
* Note: Policy message is constructed by replacing the {0} placeholder with the policy value
*/
private String extractPolicyMessage(String policy, String value, Properties messagesBundle) {
String property = policyPropertyMessages.get(policy);
if (property == null) {
return null;
}
String policyMessage = messagesBundle.getProperty(property);
return policyMessage != null ? policyMessage.replace("{0}", value) : null;
}

The getPasswordPolicyMessages() function already collects the password policies from the PasswordPolicy and maps them to the appropriate messages from the message bundle. You can extend this function to display all unsatisfied policies in one collective message.

Password policies such as minimum length, required digits, special characters, etc., are mapped to messages via the extractPolicyMessage() method. Our service implementation will iterate through each policy and check if it’s satisfied. If not, the corresponding message will be displayed.

In your update-password.ftl page, you can display these unsatisfied policies as a list using FreeMarker.

				
					
    	<#if passwordPolicies?has_content>
        	<div class="${properties.kcAlertClass}">
            	<div class="${properties.kcAlertIconWrapperClass}">
                	<span class="${properties.kcAlertIconClass}"></span>
            	</div>
            	<span class="${properties.kcAlertTitleClass}">
            	${msg("passwordInstruction")} <br>
            	<#list passwordPolicies?keys as key>
                	<span class="${properties.kcAlertTitleClass}">&#x2022; ${passwordPolicies[key]}</span><br/>
            	</#list>
            	</span>
        	</div>
    	</#if>

Real world policy examples

Let’s see how password policies look in large companies.

Apple requires passwords to be at least eight characters long and must include both letters and numbers. Additionally, passwords cannot contain three or more consecutive identical characters and cannot be commonly used passwords.

Facebook enforces a minimum password length of more than six characters, although longer passwords are recommended. While Meta does not require the use of special characters or digits, it encourages creating complex passwords.

Microsoft passwords must be at least 8 characters long and contain at least two of the following types of characters: uppercase letters, lowercase letters, digits, and symbols. Additionally, it may block the ability to set a password that is too similar to the previous one.

Although these companies use different tools for authentication, it’s important to consider the security standards implemented in big real-world systems.

And despite the fact that these password policies are not extremely restrictive, users should still avoid using sensitive personal information, such as names, birthdates, or phone numbers, in their passwords. Additionally, it’s essential to avoid reusing passwords across different services, as this can lead to vulnerabilities in case one account is compromised. Employing two-factor authentication (2FA) and periodically reviewing password security are further steps users can take to enhance their protection.

Summary

As you can see now, Keycloak provides a set of default password policies that cover standard security rules, such as minimum length, complexity requirements, and password history. These built-in policies are sufficient in many cases, but if needed, there is the option to customize them to meet specific organizational requirements. Keycloak also allows the creation of custom password policies, providing greater control over security.

In addition to customizing policies, Keycloak enables modification of the user interface, which is especially useful when the default display of password policy violations, such as showing unmet requirements individually, does not meet our needs. In such cases, we can change how errors are presented or enrich the messages with additional details to make them more user-friendly.

With these options, Keycloak demonstrates a high level of flexibility, allowing full control over security policies and the user interface, making it a versatile solution for identity and access management. The ability to define custom rules and adjust components ensures that Keycloak is a scalable tool that can be easily tailored to the specific needs of an organization.

Artykuł Configuring Password Policies in Keycloak pochodzi z serwisu Inero Software - Software Consulting.

Setting Up Passwordless Login with Passkey on a Mobile Device

Marceli Formela — Wed, 12 Mar 2025 07:47:03 +0000

In our previous post, we demonstrated how to configure Passkeys in Keycloak, replacing traditional passwords with WebAuthn-based authentication. We covered the setup process, key advantages, and potential limitations, including the challenge of user adoption. This blog focuses on configuring Passkeys specifically for mobile devices, ensuring a seamless and secure passwordless experience.

Our first publication about Passkeys in Keycloak, you can find here: An introduction to Passkey with Keycloak

In this post, we’ll dive deeper into optimizing Passkey authentication in Keycloak, looking into a different approach, this time using more than one device.

Using a Passkey stored on a phone

When logging in on a different device, such as a laptop or desktop, users can authenticate using a Passkey stored on their phone. The process works as follows:

Selecting Passkey Login
Instead of entering a password, users choose the Passkey authentication option. The laptop’s browser generates a request for authentication. Now we have to establish a secure connection between your phone (e.g., iPhone) and your laptop.
Scanning a QR Code
The login interface generates a QR code, which users scan using their phone’s camera. Then the laptop sends a cryptographic challenge to the phone, asking it to sign a request using the stored passkey. The phone communicates securely with the laptop over Bluetooth or other close-range communication protocols (like NFC).
Confirming Identity
Once the phone receives the challenge, it asks the user for biometric authentication (e.g., Face ID or Touch ID). This verifies that the person attempting the login is the authorized user.
Secure Authentication
The laptop checks the response from the phone, verifying the cryptographic signature against the public key registered with the service. If the verification is successful, the user is logged in without having to enter a password.

Step by step: Configuring Passkey with a smartphone

Before we dive into our custom authentication flow, it’s important to check if the Webauthn Register Passwordless required action is enabled in the realm (Authentication -> Required actions tab).

This gives us, for example, the ability to enforce passkey configuration from users after their next successful login. However, it’s important to remember that this is just one of many ways to configure multiple authentication methods.

Once we confirm that this option is active, we can proceed with configuring the authentication flow.

This custom authentication flow for Keycloak is designed to demonstrate how users can choose between password-based authentication and passkey authentication (WebAuthn) during login. Here’s how it works:

- Users are required to provide their username to proceed with authentication.
- This step enforces authentication, but users can choose between password-based login or passkey-based login.
- If the user opts for password authentication, they enter their credentials here.
- If the user prefers passwordless authentication using passkeys, they can authenticate using this method instead.

In this step, users can enter their username or email to proceed with authentication. This is a required step, ensuring that the system identifies the user before offering authentication options.

At this stage, we can only use password authentication because we haven’t configured our Passkey (WebAuthn) yet. Once Passkey is set up, users will have the option to choose between password-based and passwordless authentication.

Instead of registering a device PIN as mentioned earlier, we will use authentication via a phone, specifically an iPhone, in this example

Now, a QR code should appear, allowing us to register a Passkey on our account. Let’s scan it using our phone’s camera and verify the operation, for example, using Face ID.

Now, our Passkey should be visible in the Credentials section.

During the next login, we should see the option to choose between password authentication and Passkey authentication.

This setup enhances user convenience by allowing them to pick their preferred authentication method. Passkeys provide a more secure and phishing-resistant login experience, while passwords remain available for users who prefer traditional authentication. With this flexibility, we can ensure both security and ease of access for different user preferences.

It is worth remembering that traditional passwords are a weak link in digital security, often compromised through reuse, phishing, or data breaches. Passkeys offer a modern, passwordless authentication method that enhances security and usability by leveraging cryptographic key pairs managed by platform authenticators. They provide phishing resistance, seamless multi-device access, and compliance with multi-factor authentication (MFA) standards.

Best Practices in Keycloak: Secure Your System in 5 Steps

Artykuł Setting Up Passwordless Login with Passkey on a Mobile Device pochodzi z serwisu Inero Software - Software Consulting.

Trusted devices in Keycloak

Marta Kuprasz — Thu, 06 Mar 2025 10:47:08 +0000

User authentication in IT systems requires finding a balance between convenience and security. On one hand, users expect the login process to involve the fewest steps possible; on the other, it is essential to protect system access from unauthorized use. One way to manage security levels flexibly is through the trusted devices mechanism, which allows users to reduce the number of required login steps for recognized and secure devices.

The stricter the security policy, the more inconvenient it becomes for users—this is the eternal dilemma for system administrators. Long and complex passwords, frequent password changes, and additional authentication factors enhance security but also lead users to find ways to bypass procedures—such as writing passwords down in notebooks or saving them in browsers.

Trusted Devices – How Does It Work?

By default, Keycloak does not recognize or remember devices, meaning each session is treated independently. However, with extensions, support for trusted devices can be added, allowing users to skip certain steps during subsequent logins.

CTO of Inero Software, Waldemar Korłub, emphasizes:

"Hence the concept of trusted devices – the first time, we need to go through all the steps, but afterward, the application can, for example, skip asking for the two-factor authentication code."

Once a device is marked as “trusted,” the system can retain its status for a specified period, allowing for a simplified login process. However, the user may still be periodically asked to reauthenticate to ensure security.

Is remembering devices secure?

While the trusted devices mechanism improves user convenience, it also introduces additional risks. The biggest threat is the theft or loss of a device that has been previously marked as trusted.

As Waldemar Korłub points out:

"If the system does not require an additional authentication factor, an attacker could gain access to all stored applications. That’s why it is crucial for users to have control over their trusted devices—ideally through a panel where they can remove them at any time."

Introducing a device management panel and the option to revoke a device’s trusted status in case of loss are essential elements for ensuring security.

How can administrators control access in Keycloak?

Administrators can restrict the device remembering mechanism, for example, to specific networks or corporate devices.

Waldemar Korłub explains:

"We can limit this mechanism, for example, to computers within the local network—if users connect via the corporate VPN, we can recognize company-owned devices and enable the trusted devices option for them."

Thanks to such solutions, organizations can prevent users from assigning trusted status to personal devices that are beyond their control.

Trusted Devices in Keycloak – Key Takeaways

- Trusted Devices Help Simplify Login but Require Proper Security Measures
  The trusted devices mechanism in Keycloak allows users to skip certain authentication steps, such as entering a 2FA code. While this is a convenient solution that streamlines daily operations, it also requires the implementation of appropriate security measures. It is essential to define the validity period of a trusted device and monitor changes in login behavior to prevent misuse.

- Administrators Can Control the Trusted Device Access Policy
  Not every device should be marked as trusted, which is why administrators can restrict this feature to corporate computers or require a VPN connection. This helps prevent situations where a user assigns trusted status to a personal computer that the organization cannot control.

- Device Management Panel Enhances Security
  To give users greater control over their sessions, it is beneficial to implement a panel that allows them to review and remove trusted devices. This way, in case of device loss or suspected unauthorized access, users can quickly revoke granted permissions.

- The Ability to Remove a Device Protects Against Account Takeover
  If a device is lost or stolen and the system does not require additional authentication, an attacker could gain access to the user’s account. That’s why it is crucial to allow the removal of trusted devices at any time and enforce reauthentication. This approach provides greater flexibility while reducing the risk of unauthorized account access.

When Should You Use the Trusted Devices Feature in Keycloak?

The trusted devices feature in Keycloak enhances login convenience while maintaining a high level of security. This functionality is particularly useful in corporate environments and BYOD (Bring Your Own Device) models, where users regularly log in from the same devices.

Marking a device as trusted reduces the number of two-factor authentication (2FA) prompts, extends session duration, and allows for dynamic security policy adjustments, such as requiring reauthentication for suspicious logins. This approach helps mitigate the risk of account takeover—even if an attacker obtains a password and 2FA code—since logging in from a new device may trigger additional verification.

Implementing trusted devices in Keycloak enables organizations to strike a balance between security and user convenience.

The trusted devices mechanism in Keycloak enhances login convenience without significantly compromising cybersecurity. Proper implementation of the device remembering policy in Keycloak helps balance system security and user experience.

However, administrators should ensure that mechanisms are in place for managing the list of trusted devices and enforcing periodic verification of their status to mitigate potential security risks.

We will help you implement Keycloak

Want to implement Keycloak or add new functionalities? Schedule a meeting to explore the possibilities.

Schedule a meeting

Artykuł Trusted devices in Keycloak pochodzi z serwisu Inero Software - Software Consulting.

An introduction to Passkey with Keycloak

Marceli Formela — Wed, 26 Feb 2025 08:11:28 +0000

Traditional passwords have long been a weak factor in digital security. They are often reused, easy to compromise, and vulnerable to phishing attacks. Passkeys offer a modern solution by replacing passwords with app-specific cryptographic key pairs managed by platform authenticators. Because passkeys involve multiple authentication touchpoints, they meet multi-factor authentication (MFA) requirements and align with multiple standards.

In this blog post, we’ll show you how to set up Passkeys based on the Keycloak configuration we’ve covered in previous posts (check Securing Java Spring Endpoints with Keycloak or Hands-On Keycloak SSO: From Setup to Integration). While passkeys promise a seamless and secure authentication experience, integrating them into an existing system can come with its own challenges. We’ll guide you through the basic setup process. If you’re looking to modernize your authentication strategy, this is the perfect place to start.

How it works

Passkeys are a passwordless authentication method designed to replace traditional passwords with a more secure and convenient alternative. Unlike passwords, which can be phished, stolen, or forgotten, passkeys eliminate these risks by using cryptographic key pairs stored in a trusted authenticator, such as a smartphone, another device, or a password manager. Instead of manually creating and remembering a password, users enable an authenticator to generate and manage a passkey for them. In general, a passkey consists of two parts:

- A public key, which is stored by the application
- A private key, which remains securely stored in the user’s authenticator

The private key never leaves the device, ensuring that even if the public key is compromised, accounts remain secure.

When logging in, the app sends a challenge to the authenticator.
The user verifies their identity using biometrics (Face ID, Touch ID), a PIN, or a password.
The authenticator signs the challenge with the private key and sends it back for verification.
If the signature is valid, access is granted – without ever needing a password.

Advantages of Passkeys

- Unlike passwords, passkeys can’t be stolen through phishing attacks. They are bound to a specific website or app, meaning they won’t work on fake login pages. Even if a user visits a phishing site, their passkey won’t be prompted and won’t sign them in, preventing credential theft.
- Users don’t have to manage multiple passwords across accounts. Logging in is as simple as using Face ID, Touch ID, or a device PIN.
- Passwords can be guessed, reused, or leaked—passkeys can’t. Even some 2FA methods (like SMS codes) are vulnerable to phishing and SIM-swapping, while passkeys are not. Since passkeys use public-key cryptography, they can’t be stolen or intercepted in a data breach.
- Passkeys are stored in platform authenticators (e.g., Google Password Manager, Windows Hello). They can be automatically synced across devices, ensuring access without manual transfers.

Limitations of Passkeys

- Not all websites and applications support passkeys yet, meaning users may still need to rely on passwords for some services.
- Losing access to a primary device or cloud account could lock users out, requiring recovery options like backup devices.
- Many users are still unfamiliar with passkeys, and the transition away from passwords requires education. Since passkeys don’t require manual entry, users may feel a lack of control over their credentials compared to traditional password management.

Configuring Passkey for the Realm

Keycloak provides flexible authentication options, traditionally relying on passwords and OTP-based multi-factor authentication (MFA). However, with the rise of passwordless security, Keycloak also supports WebAuthn Passwordless (Passkeys). In this setup, we will disable both passwords and OTP authenticators, ensuring that users can only log in using Passkeys.

The order of authenticators determines the login workflow in Keycloak. We keep the cookie authenticator to allow users to maintain active sessions. To support external authentication, we enable the Identity Provider Redirect, allowing users to log in via upstream providers like Google, or another Keycloak instance. Next, we configure the actual login form. By default, Keycloak’s browser flow includes username, password, and MFA authentication. We can disable everything in this section and replace it with a single step: adding a WebAuthn Passwordless Authenticator, ensuring that users can only log in using Passkeys. The final flow should look something like this:

Once the WebAuthn Passwordless Authenticator is set up, the next step is to bind the authenticator to the browser login flow.

Now, all that’s left is to force a password reset for our sample user by setting the required action to WebAuthn Register Passwordless.

After clicking the link in the received email, Keycloak will display a dialog instructing the user to register their passkey.

Just click to register the passkey.

Your device’s platform authenticator will appear showing available options for confirming the user’s identity. Let’s assume we want to use Windows Hello and confirm identity with a PIN code – the same that is used when logging into the Windows account.

The passkey should now be visible in the credentials section of the specified user.

Now we can go to the realm’s login page and try using our passkey instead of the standard username and password.

Your platform authenticator should appear again, offering to use the registered passkey.

Passkeys aren’t perfect, but their benefits outweigh their drawbacks for most users. As adoption increases, many of these limitations will be addressed. However, in the short term, users and organizations need to be aware of potential challenges when integrating passkeys into their authentication workflows. Organizations seeking to integrate passkeys into their authentication systems can leverage tools like Keycloak. By integrating passkeys into Keycloak, organizations can provide users with secure, passwordless access to applications while still benefiting from Keycloak’s major features like Single Sign-On (SSO), multi-factor authentication (MFA), and fine-grained access control.

Artykuł An introduction to Passkey with Keycloak pochodzi z serwisu Inero Software - Software Consulting.

Behind the Scenes #2: Implementing email-based MFA in Keycloak

Marceli Formela — Thu, 13 Feb 2025 09:50:32 +0000

Keycloak natively supports many secure login solutions and comes with built-in one-time password (OTP) mechanisms, such as authentication via mobile apps like Google Authenticator or our solution AuthM8. However, if we want to use other advanced authentication methods and for example send OTP codes via email, then similar to SMS multi factor authentication (more details HERE), we need to implement this functionality ourselves. In this post, we’ll explore a custom MFA implementation that sends a one-time authentication code to the user’s email.

How does email-based MFA work?

The authentication process consists of two main stages:

- Generating and sending the MFA code

If the user already has an active cookie confirming a previous MFA verification, they should be immediately authenticated. Otherwise, Keycloak creates a new credential for the user and generates a one-time code based on configurable parameters like length or time-to-live. The code is stored in the user’s credentials and then is emailed using the email provider.

- Verifying the entered code

When a user submits the code, KC retrieves the stored credential and compares the entered value. If the code is correct and still valid (not expired), authentication is successful, and a cookie is set to remember the verification. If the code is incorrect, the user is prompted to re-enter it and if the code has expired, an error message is shown and the process must be restarted.

Email MFA: Pros and Cons

Email-based MFA offers additional security when the primary factor, such as a password, has been compromised. This is particularly helpful in cases where passwords are brute-forced or easily guessed, such as with common combinations like 123456. Similarly, this solution offers protection against credential stuffing, where attackers use leaked passwords from other breaches to attempt logging into account.

There are several other benefits to using email as a MFA:

- Email MFA does not require users to provide additional sensitive information, such as a phone number, reducing concerns about privacy.

- It does not require users to install a separate app or complete a complicated setup, which simplifies the process.

- Users are accustomed to providing their email for various purposes, such as receiving important account updates or resetting passwords. This familiarity makes it more accessible.

However, email as a delivery channel does have some drawbacks. If an attacker compromises your email (gains access to an email account through stolen credentials or by exploiting an active session.), they could potentially reset other accounts’ passwords as well. For users in vulnerable situations, such as those with access to shared devices, email-based MFA can still leave them exposed. As with any security measure, it’s essential to weigh the benefits against the potential risks and mix email MFA with other safeguards, such as strong passwords policy and secure email practices.

Implementing Email MFA

In this modified Browser Authentication Flow, we integrate our custom MFA as an additional authentication method. There are two new steps:

- MFA Email setup – this step ensures that email is set up and verified for the user before proceeding. If the user does not have a custom MFA Credential (which stores OTP codes as secrets), it will be set as well.

public class MfaEmailSetupAuthenticator implements Authenticator, CredentialValidator {
@Override
public void authenticate(AuthenticationFlowContext context) {
[…]
// Require email verification
if (!userModel.isEmailVerified()) {
userModel.addRequiredAction(UserModel.RequiredAction.VERIFY_EMAIL);
}
// Add MFA email credential if not present
if (!getCredentialProvider(context.getSession()).isConfiguredFor(realmModel, userModel, MfaEmailCredentialModel.TYPE)) {
userModel.credentialManager().createStoredCredential(new MfaEmailCredentialModel(new MfaEmailCredentialData()));
}
[…]

- MFA Email Authentication – this is the actual authentication step where a one-time code is sent via email. Marked as Alternative, meaning it can be used instead of other MFA methods like mobile app OTP.

Here, you can see how the configuration of this authenticator could look like in the Keycloak authentication flow.

- Max Cookie Age this setting determines how long the MFA session (cookie) is valid. If the cookie is still valid, the user won’t be prompted for MFA.
- Time-to-live indicates the lifetime of the MFA code.

Now let’s take a look at the code.

The method below handles the MFA process itself. If a valid cookie exists (indicating that the user has already completed MFA), the method immediately returns success, meaning the authentication flow is complete without requiring additional actions.

@Override
public void authenticate(AuthenticationFlowContext context) {
if (hasValidCookie(context)) {
context.success();
return;
}
[…]

If there is no cookie, we should try to retrieve the user’s existing MFA credential from the credential provider. If the user doesn’t have one, a new instance is created using the MfaEmailCredentialModel which just extends the built-in CredentialModel:

[…]
// get existing credential or create a new one
CredentialModel credentialModel = getCredentialProvider(session)
.getDefaultCredential(session, context.getRealm(), user);
if (credentialModel == null) {
credentialModel = user.credentialManager().createStoredCredential(new MfaEmailCredentialModel(new MfaEmailCredentialData()));
}
[…]

Then the authenticate method reads configuration properties like code length and TTL (time-to-live). The code itself can be generated using some utils method and will be stored as the secretData in the credential model.

// generate and store code
int length = Integer.parseInt(configMap.get(CONFIG_CODE_LENGTH));
int ttl = Integer.parseInt(configMap.get(CONFIG_CODE_TTL));
String code = MfaEmailCodesUtils.generateCode(length);
credentialModel.setSecretData(code);
user.credentialManager().updateStoredCredential(credentialModel);
AuthenticationSessionModel authSession = context.getAuthenticationSession();
authSession.setAuthNote("ttl", Long.toString(System.currentTimeMillis() + (ttl * 1000L)));

In the end the sendCode method is called to send the generated code to the user’s email. If the email is sent successfully, the method presents the form where the user can enter the MFA code.

// send email and show input form
try {
MfaEmailCodesUtils.sendCode(session, user, ttl, code, configMap);
context.challenge(context.form().setAttribute("realm", context.getRealm()).createForm(TPL_CODE));
} catch (Exception e) {
context.failureChallenge(AuthenticationFlowError.INTERNAL_ERROR,
context.form().setError("mfaEmailNotSent", e.getMessage())  .createErrorPage(Response.Status.INTERNAL_SERVER_ERROR));
}

The second major part of our Authenticator is the action method which handles the validation of the code entered by the user. It is invoked when the user submits the input form after receiving the email.

The method retrieves the user’s credential from the provider and then the code is validated by checking it against the stored credential using the custom isValid method.

[…]
final MfaEmailCredentialModel credentialModel = getCredentialProvider(session)
        .getDefaultCredential(session, context.getRealm(), user);
boolean isValid = getCredentialProvider(session).isValid(context.getRealm(), user,
     new UserCredentialModel(credentialModel.getId(), getCredentialProvider(context.getSession()).getType(), enteredCode));
[…]

If the code is valid, the next step is to check if it is expired. We can also set a cookie that stores the MFA session to prevent the user from being prompted for MFA again during the cookie’s validity period.

[…]
// valid
HttpResponse response = context.getSession().getContext().getHttpResponse();
response.setCookieIfAbsent(createCookie(context));
context.success();
[…]

Of course, in this post, we will not cover the entire topic, omitting implementation details such as sending the code, generating the code, validation, and creating our custom cookie.

However, we have walked through the major steps of implementing 2FA using email-based codes. On the one hand, this approach offers a simple and accessible solution. Although it has its drawbacks, using it in solutions like Keycloak helps mitigate many of these vulnerabilities. Keycloak also provides the flexibility to combine email-based MFA with other security measures, creating a more layered and resilient authentication process that can help protect against evolving cybersecurity threats.

Do you need help configuring multi-factor authentication?

Schedule a meeting to find out how we can help you.

Schedule a meeting

Artykuł Behind the Scenes #2: Implementing email-based MFA in Keycloak pochodzi z serwisu Inero Software - Software Consulting.

Security Information and Event Management Systems: Why Is It Worth Adding Keycloak?

Marta Kuprasz — Thu, 06 Feb 2025 10:15:42 +0000

Security Information and Event Management (SIEM) systems enable the collection and analysis of data on user activity, system access, and cybersecurity events to detect threats and respond to incidents in real time. Identity and Access Management (IAM) systems, in turn, provide insights into user activity. In this blog, you’ll learn how Keycloak can support your SIEM system.

In the Report on the State of Cybersecurity in Poland for 2023 prepared by CSIRT GOV, it was indicated that among the threats persisting in the Polish cyberspace in 2023, which had a significant impact on risk assessment, social engineering attacks and brute-force attacks were particularly notable. Social engineering attacks involve manipulating users to gain unauthorized access to systems, while brute-force attacks rely on automatically attempting various password combinations to break security measures.

Proper identity management and log monitoring are key elements in protecting against such attacks. This is why integrating Keycloak with a SIEM system allows organizations to detect threats more effectively and respond to them immediately.

Why Is It Worth Integrating SIEM with Keycloak?

Every organization using a SIEM system aims to detect as many threats as possible and respond to incidents as quickly as possible. Information about who attempted to access systems, from where, and when can be crucial in identifying attacks and unauthorized login attempts. This is where Keycloak—a popular open-source IAM platform—can significantly enhance the SIEM ecosystem by providing valuable data on authentication, authorization, and session management processes.

Keycloak, developed by the Red Hat community, offers comprehensive solutions for authenticating and authorizing users in web applications, mobile apps, and backend services. We’ve covered it in detail https://inero-software.com/keycloak-services/

Keycloak can provide data on:

Login attempts – both successful and failed, along with information about the originating IP address.
Forced password resets and changes in access policies – allowing for monitoring of potential account takeover attempts.
User sessions – including unusual logins from new locations or devices.
Detected threats, such as suspicious multiple login attempts (e.g., brute-force attacks, which involve cracking passwords or cryptographic keys by trying all possible combinations).

The SIEM system, in turn, can analyze this data and correlate it with other events, such as:

Login attempts from unusual locations linked to suspicious network activity.
Multiple failed login attempts from a single IP address – a sign of a brute-force attack.
Sudden changes in user privileges associated with suspicious system access.

An example of effective integration can be seen in a situation where a user repeatedly enters an incorrect password within a short period. Keycloak logs this as suspicious activity. A SIEM system can then correlate this data with login attempts from different locations and take action, such as temporarily blocking the account or enforcing additional authentication.

How Do Keycloak and SIEM Work Together?

Keycloak and Security Information and Event Management (SIEM) systems serve different purposes in identity management and IT security, but they complement each other perfectly.

Feature	SIEM (Security Information and Event Management)	IAM (Identity and Access Management – Keycloak)
Main Function	Monitoring and analyzing security events	Managing user identities and access
Scope of Operation	Log collection, incident analysis, threat detection	Authentication, authorization, access control
Types of Data	System logs, network traffic, security alerts	User sessions, authentication logs, authorization requests
Mode of Operation	Aggregation and correlation of events from multiple sources	Verification of user identities and permissions
Primary Uses	Anomaly detection, incident response, compliance	Single Sign-On (SSO), identity federation, MFA
Examples of Threats	DDoS attacks, malware, privilege escalation	Brute-force attacks, account takeover, privilege misuse
Response to Threats	Alert generation, automatic blocking, reporting	Account blocking, enforcing MFA, session management
Integration with Other Systems	Yes – collects logs from SIEM systems, IDS, firewalls	Yes – integrates with LDAP, AD, databases, SIEM

How to Implement Keycloak?

Integrating Keycloak with a SIEM system enhances IT security by providing additional information about users and their activities. This allows organizations to detect threats more effectively and respond to incidents more quickly.

If you’re wondering how to implement and configure Keycloak for your organization, be sure to check out these articles:

These resources provide practical guidance on configuring and integrating Keycloak with various systems. Importantly, one of Keycloak’s key features is its ability to integrate with Lightweight Directory Access Protocol (LDAP) directories, which we covered in detail here: Exporting accounts to federated realms: A guide to Keycloak and LDAP Integration

There are many SIEM solutions available on the market, so it’s worth conducting a security audit within your organization before making a decision. Identifying potential vulnerabilities will help guide the selection and implementation of an appropriate incident management system, enhanced with Keycloak integration, to better monitor threats and strengthen data protection across your organization.

Do You Want to Implement Keycloak?

Benefit from our experience. We have completed numerous implementations for SMEs and large organizations. We’d be happy to discuss potential collaboration opportunities.

Schedule a Meeting

Artykuł Security Information and Event Management Systems: Why Is It Worth Adding Keycloak? pochodzi z serwisu Inero Software - Software Consulting.

Challenges and Benefits of Integrating Keycloak: Compliance with the NIS 2 Directive and Practical Implementation Advice

Marta Kuprasz — Tue, 16 Jul 2024 08:18:41 +0000

The widespread digitalization of services is leading to an increasing amount of resources being moved to the cloud. While this approach brings numerous benefits, including flexibility and scalability, it also exposes these services externally, increasing the risk of unauthorized access. Managing access to cloud resources is becoming an increasingly significant challenge, especially in large organizations that operate with a growing number of users, contractors, and a diversity of roles and permissions.

This process has attracted the attention of the global community, which emphasizes the importance of tailoring secure practices to the specific needs of individual companies and the sectors in which they operate through guidelines and directives. Directive 2022/2555, known as the NIS 2 Directive, is the European Union’s response to these changes and the need to introduce a uniform set of information security obligations and standards across member countries. The main obligations arising from the directive include:

- The obligation to implement risk management measures and incident response protocols
- The obligation to report significant cybersecurity incidents to the relevant authorities.
- The requirement for cooperation between member states and with relevant authorities at the EU level.
- Dedicated requirements for key sectors such as energy, transport, health, and finance.

What Will Change with the NIS 2 Directive

The new regulations have extended coverage to more sectors and a larger number of organizations, including medium and large enterprises in critical industries. Stricter requirements for information security and reporting obligations have been introduced to increase resilience to cyber threats. According to Article 21, paragraph 3, companies are required to verify the overall quality of their suppliers’ and service providers’ cybersecurity products and practices, including their secure development procedures.

In the report “Foresight Cybersecurity Threats for 2030,” ENISA (European Union Agency for Cybersecurity) presented a detailed analysis of emerging cybersecurity threats up to the year 2030. Analysts identified the following key threats:

- Disruption of the software supply chain
- Shortage of skilled cybersecurity specialists
- Human errors and exploitation of legacy system

The latest reports on software supply chain security confirm that it is one of the biggest threats to cybersecurity. The report “The State of Software Supply Chain Security 2024” from ReversingLabs indicates that the number of attacks on the software supply chain has increased by 289% over the past four years, with most attacks concentrated on popular open-source repositories such as npm and PyPI.

In the ENISA publication, the danger associated with the growing dependence of key economic sectors on external IT services is also highlighted. This dependence can lead to an increased number of interactions in the digital landscape. As a result, key service providers are gradually becoming dependent on software whose development process is neither certified nor managed.

How to Ensure IT Solutions Compliance with the NIS 2 Directive

NIS 2 is a fairly general directive and does not explicitly state what actions to take or what steps to follow. Nevertheless, it sets a direction for cybersecurity measures, highlighting the following key actions:

Ensuring uniform and verified authorized access to digital services, especially those processing personal data.
Implementing continuous monitoring and security updates within enterprises for critical service access points.
Standardizing access processes to digital services along with implementing a user identity management system.
Reporting and monitoring the status of access to authorized services and data collections.

For this reason, we can expect an increase in interest in implementing IAM (Identity and Access Management) solutions in the near future. The primary issue is not only the implementation of the IAM system itself but also the ability to adapt it to the specific integration needs of various solutions:

SSO with Keycloak – Significantly simplifies the authentication and authorization process within organizations, improving user convenience and system security. With single sign-on, users can more efficiently utilize different applications, thereby increasing productivity.
Event Logging and Alerts – Keycloak logs various events such as logins, password changes, authentication errors, and system configuration modifications. Alerts help in rapid threat response, minimizing security breach risks and enhancing cloud resource protection.
Custom Authorization Flow in Keycloak – Allows for the creation of custom authentication and authorization processes tailored to the specific requirements of an organization. The need for this solution arises from the necessity to provide flexibility and security in managing access to resources.
Identity Providers – Integrating Keycloak with Microsoft Active Directory (AD) and Google Workspace enables central identity and access management. This allows users to utilize single sign-on (SSO), gaining access to multiple applications with one set of credentials.
Scaling Keycloak – Allows handling a growing number of users and applications by running multiple instances in a clustered configuration, ensuring even load distribution and high availability.

How to Prepare for a Discussion on Implementing Keycloak in a Large Organization?

Technical discussions about implementing new tools can be lengthy and multi-staged, so it is essential to prepare properly to ensure the consultation phase proceeds quickly and both parties obtain sufficient information. We asked our CEO, Andrzej Chybicki, for advice on how to best prepare for implementing Keycloak.

WHAT ARE THE MOST COMMON NEEDS OF COMPANIES SEEKING CYBERSECURITY COLLABORATION?

Keycloak is a specific yet comprehensive solution that allows for the creation of advanced user authorization management systems. Its biggest advantage is the possibility of implementing it as on-premise software.

Even companies with extensive experience can face challenges when introducing a significant change such as a custom authorization flow in their login systems and often seek consultation. In such situations, they look for partners who have practical experience in similar projects, are familiar with common problems, and have proven methods for solving them.

Our clients include organizations at various levels of IAM experience – some are considering implementation, aware of the benefits of identity and access management but unsure where to start. Others have already begun implementation and installed necessary components but face challenges in configuring customization for users, partners, and employees, for instance, in designing complex authorization schemes required by their operations.

HOW TO PREPARE FOR THE IMPLEMENTATION OF KEYCLOAK TO ENSURE A SMOOTH PROCESS?

When helping companies create internal IAM solutions, our actions lead to two fundamental questions. First, it is essential to assess whether Keycloak, compared to other solutions like Okta or AWS Cognito, which might offer simpler handling and cloud-level automation, is the best choice. Then, it becomes crucial to outline authorization processes, application integration, installation type (on-demand or on-premise), technical support, and long-term strategy with system updates. These are the basic issues to discuss at the outset.

WHAT DO CLIENTS EXPECT FROM US AS A COMPANY COMPREHENSIVELY IMPLEMENTING KEYCLOAK?

Our experience shows that the greatest help for our partners is the specialized knowledge gained from similar initiatives. They often seek experts when they have specific requirements for customizing production software or need to create an add-on (plugin). They expect our support, counting on us to use experiences from previous projects and show how we handled similar challenges in the past. Examples range from ensuring scalability, configuring and integrating with cloud authorization flows to integrating with database systems handling millions of users simultaneously. Our task is to provide advisory services that meet their essential needs.

WE’VE IMPLEMENTED KEYCLOAK, BUT WHAT NEXT? DOES THE COMPANY NEED TO HIRE DEVELOPERS FAMILIAR WITH THIS TOOL TO MANAGE THE SYSTEM POST-IMPLEMENTATION?

The process of implementing and configuring Keycloak is complex, and the intensity of work during the project is not even. Such work is often overseen by the security department or individuals at the chief technical management level – thus requiring coordination among multiple employee groups. Coordination with support teams is also often needed to determine the optimal time to introduce changes in authorization processes.

Implementing Keycloak does not require the constant presence of dedicated experts within the organization. Keycloak is generally a stable tool, and it is crucial for system managers to know how it functions and to be able to operate Keycloak’s administrative panel, utilizing its features without the need for modification.

However, long-term support is essential, including regular security updates that the Keycloak community releases every few months. These updates are critical, and it is valuable to have access to skills and knowledge in case of critical issues.

[1] https://www.enisa.europa.eu/publications/foresight-cybersecurity-threats-for-2030-update-2024-extended-report

Artykuł Challenges and Benefits of Integrating Keycloak: Compliance with the NIS 2 Directive and Practical Implementation Advice pochodzi z serwisu Inero Software - Software Consulting.

Best Practices in Keycloak: Secure Your System in 5 Steps

Marta Kuprasz — Mon, 13 May 2024 13:55:51 +0000

Keycloak is a tool for managing identity and access that ensures the security of applications and web services. To maximally secure your environment using it, it’s important to implement best practices. Here are 5 key steps that will help you in this process.

Enable HTTPS and Use Strong Certificates

The first and most crucial step is to ensure all communication with the Keycloak server is done through the secure HTTPS protocol. Using SSL/TLS certificates from trusted providers protects against data interception and manipulation.

In this step:

- Configure the Keycloak Server: Set the server to use only HTTPS, rejecting all unencrypted HTTP requests.
- Update Certificates: Regularly renew and update SSL/TLS certificates to avoid the risk of exploiting outdated keys.

Implement Multi-Factor Authentication (MFA)

This feature adds a layer of security by simultaneously using multiple methods to verify a user’s identity. 2FA (Two-Factor Authentication) is a popular form of MFA that often requires users to enter a password and confirm their identity with a second factor, such as a code from an authentication app.

In this step:

- Activate Multi-Factor Authentication in Keycloak: Enable MFA for all users, especially those with administrative access and access to sensitive data.
- Choose Authentication Methods: Keycloak supports various MFA methods; commonly used ones include authentication apps (e.g., Microsoft Authenticator).

Read also:

Implement strong password policies and session management

Password and session management are key to protecting user identities and preventing unauthorized access. They are the first line of defense against attacks such as brute force or phishing. Keycloak provides a wide range of configurable password policy settings from the administrative console.

In this step:

- Configure the password policy: Set precise rules for password selection to require specific lengths, complexity (e.g., the presence of special characters, uppercase and lowercase letters), and define the password’s lifespan and history.
- Limit session lifespan: Set short but practical session and token lifespan to minimize the window for potential attacks. Automatically logging out users after a specified period of inactivity is important for preventing accidentally leaving sessions open on shared or public devices.

Read also:

- An introduction to Passkey with Keycloak
- Hands-On Keycloak SSO: From Setup to Integration

Secure API endpoints and use Role-Based Access Control (RBAC)

Role-Based Access Control (RBAC) allows for defining roles, assigning them to users, and managing permissions, enabling control over API operations depending on the role.

In this step:

- Securing API endpoints: To secure API endpoints, it is crucial to apply appropriate authorization and authentication mechanisms:
- Authentication: Implement authentication protocols such as OAuth 2.0 and OpenID Connect, so users and applications must prove their identity before gaining access to the API. Access tokens: Use access tokens, which contain information about user permissions, to verify access rights to various API resources. HTTPS: Ensure that all requests to the API are sent over HTTPS, protecting data from interception and modification. Role-Based Access Control (RBAC): Role-Based Access Control allows for managing user permissions based on their roles in the organization:
- Defining roles: Establish roles that reflect different access levels in the application, e.g., administrator, user, guest, etc. Assigning roles: Assign roles to users that specify which resources and operations they can access. Managing permissions: Configure access policies in Keycloak to control which operations can be performed by users with a given role at specific API endpoints.

Read also:

Regularly update and monitor the environment

Updating and continuously monitoring the Keycloak environment is essential to maintain high protection against new threats and security vulnerabilities. Keycloak updates appear every few months, and information about them can be found on the official project website or in the Keycloak documentation.

In this step:

- Updates: Regularly update Keycloak to the latest stable versions.
- Monitoring and logging: Use monitoring tools to track any unusual behavior and respond quickly to potential security incidents. Set up logging systems to collect key information about system operation. For example, using Kubernetes, you can efficiently manage and scale monitoring and logging tools such as Prometheus and ELK Stack. Kubernetes facilitates the deployment and management of containers with these tools, automating their deployment, scaling, and repair, which is crucial for maintaining continuity of operation and security in distributed systems.
- Choose a proven partner: If implementing Keycloak best practices seems like a labor-intensive process that will heavily burden your team at this stage, seek help from specialists in this field.

Read also:

Inero Software has extensive experience in implementing advanced cybersecurity solutions. We create comprehensive systems for managing users and their roles, tailored to complex IT infrastructures and meeting high corporate standards. Our team, consisting of cybersecurity experts, implements advanced authorization schemes in accordance with renowned security standards. Thanks to our knowledge and experience, we provide effective protection against threats and compliance with corporate security policies.

Artykuł Best Practices in Keycloak: Secure Your System in 5 Steps pochodzi z serwisu Inero Software - Software Consulting.

Digital identity in the era of remote work and pandemic

Andrzej Chybicki — Tue, 15 Mar 2022 08:42:09 +0000

Working from remote locations, recently has became a standard in many companies. During past few years we have learnt to utilize most of our IT systems, programs and tools remotely such as Office, Outlook, Microsoft Teams, Google Meets, Google Work Space or Google Docs, documentation flow systems or others. Due to significant physical distance to used IT infrastructure, the access to these tools must be properly secured and configured to allow efficient use but third parties, suppliers or other employees have limited access to what you do, in accordance with company’s security policy. Such access is most often implemented in programs through a system of individual accounts in which everyone uses individual logins and passwords.

In large corporate teams with employees working in different locations, this issue is even more important. Although people employed in such teams work in different countries or time zones, many resources must be synchronized with each other and unified access to them improves work, facilitates communication and team management.

Examples of such systems include e-mails, email responders, instant messaging, invoicing, document management systems and many more. In this context, problems appear when the same person needs and access to two or more systems, for example, a contract management tool and document flow management systems. While having many similar situation, hierarchical privileges managements, various systems, remembering several logins and passwords may be confusing for some employees. The desired scenario in such case would be to have on logging gateway that would allow for access to different resources.

Here comes digital identity management!
When an employee logs into the companies resources, he wants to have one digital credentials (i.e. login & password), because in fact he represents the same person in each of these systems. He is also a subject to a specific group of authorizations and rights resulting from the assigned position, duties and other. In such cases Identity and Access Management (IAM) are a perfect choice!

Digital identity is a collection of individual credentials (mostly logins and passwords) that as users, we use in various structures. When we use many systems, we have a lot of credentials. In the long run, this can be troublesome, especially in situations when we forget one of the passwords, because we will need to recover them later. In this case, it is difficult for both users and administrators to manage it.

IAM is a tool that provides effective management of access to information resources. With this solution you can handle the requests of newly hired employees. The identity and access management system also helps in administering users who have parted ways or changed their status with company. With IAM changing or expiring their permissions is much easier.

One of the most frequent concepts in the development of IAM is the concept of SSO (Single-Sign-On). It’s a set of systems in which we have one common login point and one common module for managing users and their authorization to all systems. They allow us to manage digital identity in one place. We have one login and password for many systems to which we can log in with the same credentials.

Impact of COVID-19 on Integrated Authorization Management

In the last two years, IAM systems have been increasingly used due to the need for remote or hybrid work. IAM is of utmost importance in supporting and securing digital resources. Tools like this provide basic authentication and authorization to secure employee data. This goal can be achieved through access management (Multi-Factor Authentication), enabling enterprises to provide end-user authentication to multiple systems.

When is Identity and Access Management important?

Digital identity management actually always happens when we use our unique login. A simple example of using a digital identity is integrating a Google account with the Chrome browser. In the case of corporate solutions, our identity must be better authenticated, so each time we log into the system we have to enter our login and password. Digital identity management occurs when we want to have access to information that is intended only for us, or it requires our interactions.

“According to a report by Verizon Data Breach Investigation, more than 70% of employees re-use their passwords at work. The report found that 81% of hacking breaches used stolen or weak passwords.”

The basic principle of creating IAM systems is not to create new security solutions but above all, to use standards and proven security methods instead. Tools that allow us to use standard approaches to ensure the safety and convenience of use in authorization for various connection scenarios of various systems, including:

Azure B2C
OAuth2
Open ID Connect
Identity Server
Active Directory
KeyCloak
Amazon Cognito
Google IAM

When mentioning digital identity management, it is necessary to indicate the differences between authorization and authentication. Authorization allows access to confirm whether a given person is allowed to use a resource (e.g. a function or database), and authentication means confirming the identity.

5 benefits of IAM

Increasing cyber security

Thanks to IAM solutions, companies can implement security policies in all connected systems. Administrators using such tools can easily remove unwanted access permissions when needed, by providing one consistent system of accounts and passwords.

Lower operating costs in terms of infrastructure management and IT security

With integrated systems enterprises can benefit from lowering costs in IT infrastructure by minimizing the time needed to solve problems related to the user account.

More convenient use of systems by users and administrators

By implementing IAM tools, administrators are able to create a unique identity for each user. They don’t have to manage dozens of accounts for different applications or other resources. Users have access to systems regardless of their location, time or device currently used.

Easier adaptation to the regulations of corporate security policies

When ordering or creating software, corporations implement security policies about what can and cannot be done in specific IT systems. If we are dealing with one account logging system, it is much easier to adapt it to security policies.

Easier password management and recovery

With IAM solutions, password problems will be minimized. They help administrators implement better password management practices. We are talking about frequent updates of login credentials or stronger authentication.

Identity and Access Management

If enterprises want to keep their employees safe and increase their productivity, they should opt for integrated identity and access management. After logging into the main system, users don’t have to worry about having an appropriate password for other structures. The employee has access to the perfect set of tools to increase his productivity.

“72% of organizations prioritize security over operational efficiency (52%) and tamper prevention (47%) as key factors in the development of the IAM program.”

~According to 2020 IAM Report, Cybersecurity Insiders

Digital identity management is a process that can be implemented in stages. It’s not necessary to integrate all systems at once. Company may decide to implement single systems and add more structures over time.

Inero Software provides knowledge and expertise on how to successfully use cutting edge technologies and data to shape corporate digital products of the future. In recent months we have implemented several cybersecurity solutions based on IAM that allow users to use single sign-on authorization point and securely access corporate systems.

In the blog post section you will find other articles about IT systems and more!

Artykuł Digital identity in the era of remote work and pandemic pochodzi z serwisu Inero Software - Software Consulting.