MFA - Inero Software - Software Consulting

Setting Up Passwordless Login with Passkey on a Mobile Device

Marceli Formela — Wed, 12 Mar 2025 07:47:03 +0000

In our previous post, we demonstrated how to configure Passkeys in Keycloak, replacing traditional passwords with WebAuthn-based authentication. We covered the setup process, key advantages, and potential limitations, including the challenge of user adoption. This blog focuses on configuring Passkeys specifically for mobile devices, ensuring a seamless and secure passwordless experience.

Our first publication about Passkeys in Keycloak, you can find here: An introduction to Passkey with Keycloak

In this post, we’ll dive deeper into optimizing Passkey authentication in Keycloak, looking into a different approach, this time using more than one device.

Using a Passkey stored on a phone

When logging in on a different device, such as a laptop or desktop, users can authenticate using a Passkey stored on their phone. The process works as follows:

Selecting Passkey Login
Instead of entering a password, users choose the Passkey authentication option. The laptop’s browser generates a request for authentication. Now we have to establish a secure connection between your phone (e.g., iPhone) and your laptop.
Scanning a QR Code
The login interface generates a QR code, which users scan using their phone’s camera. Then the laptop sends a cryptographic challenge to the phone, asking it to sign a request using the stored passkey. The phone communicates securely with the laptop over Bluetooth or other close-range communication protocols (like NFC).
Confirming Identity
Once the phone receives the challenge, it asks the user for biometric authentication (e.g., Face ID or Touch ID). This verifies that the person attempting the login is the authorized user.
Secure Authentication
The laptop checks the response from the phone, verifying the cryptographic signature against the public key registered with the service. If the verification is successful, the user is logged in without having to enter a password.

Step by step: Configuring Passkey with a smartphone

Before we dive into our custom authentication flow, it’s important to check if the Webauthn Register Passwordless required action is enabled in the realm (Authentication -> Required actions tab).

This gives us, for example, the ability to enforce passkey configuration from users after their next successful login. However, it’s important to remember that this is just one of many ways to configure multiple authentication methods.

Once we confirm that this option is active, we can proceed with configuring the authentication flow.

This custom authentication flow for Keycloak is designed to demonstrate how users can choose between password-based authentication and passkey authentication (WebAuthn) during login. Here’s how it works:

- Users are required to provide their username to proceed with authentication.
- This step enforces authentication, but users can choose between password-based login or passkey-based login.
- If the user opts for password authentication, they enter their credentials here.
- If the user prefers passwordless authentication using passkeys, they can authenticate using this method instead.

In this step, users can enter their username or email to proceed with authentication. This is a required step, ensuring that the system identifies the user before offering authentication options.

At this stage, we can only use password authentication because we haven’t configured our Passkey (WebAuthn) yet. Once Passkey is set up, users will have the option to choose between password-based and passwordless authentication.

Instead of registering a device PIN as mentioned earlier, we will use authentication via a phone, specifically an iPhone, in this example

Now, a QR code should appear, allowing us to register a Passkey on our account. Let’s scan it using our phone’s camera and verify the operation, for example, using Face ID.

Now, our Passkey should be visible in the Credentials section.

During the next login, we should see the option to choose between password authentication and Passkey authentication.

This setup enhances user convenience by allowing them to pick their preferred authentication method. Passkeys provide a more secure and phishing-resistant login experience, while passwords remain available for users who prefer traditional authentication. With this flexibility, we can ensure both security and ease of access for different user preferences.

It is worth remembering that traditional passwords are a weak link in digital security, often compromised through reuse, phishing, or data breaches. Passkeys offer a modern, passwordless authentication method that enhances security and usability by leveraging cryptographic key pairs managed by platform authenticators. They provide phishing resistance, seamless multi-device access, and compliance with multi-factor authentication (MFA) standards.

Best Practices in Keycloak: Secure Your System in 5 Steps

Artykuł Setting Up Passwordless Login with Passkey on a Mobile Device pochodzi z serwisu Inero Software - Software Consulting.

Trusted devices in Keycloak

Marta Kuprasz — Thu, 06 Mar 2025 10:47:08 +0000

User authentication in IT systems requires finding a balance between convenience and security. On one hand, users expect the login process to involve the fewest steps possible; on the other, it is essential to protect system access from unauthorized use. One way to manage security levels flexibly is through the trusted devices mechanism, which allows users to reduce the number of required login steps for recognized and secure devices.

The stricter the security policy, the more inconvenient it becomes for users—this is the eternal dilemma for system administrators. Long and complex passwords, frequent password changes, and additional authentication factors enhance security but also lead users to find ways to bypass procedures—such as writing passwords down in notebooks or saving them in browsers.

Trusted Devices – How Does It Work?

By default, Keycloak does not recognize or remember devices, meaning each session is treated independently. However, with extensions, support for trusted devices can be added, allowing users to skip certain steps during subsequent logins.

CTO of Inero Software, Waldemar Korłub, emphasizes:

"Hence the concept of trusted devices – the first time, we need to go through all the steps, but afterward, the application can, for example, skip asking for the two-factor authentication code."

Once a device is marked as “trusted,” the system can retain its status for a specified period, allowing for a simplified login process. However, the user may still be periodically asked to reauthenticate to ensure security.

Is remembering devices secure?

While the trusted devices mechanism improves user convenience, it also introduces additional risks. The biggest threat is the theft or loss of a device that has been previously marked as trusted.

As Waldemar Korłub points out:

"If the system does not require an additional authentication factor, an attacker could gain access to all stored applications. That’s why it is crucial for users to have control over their trusted devices—ideally through a panel where they can remove them at any time."

Introducing a device management panel and the option to revoke a device’s trusted status in case of loss are essential elements for ensuring security.

How can administrators control access in Keycloak?

Administrators can restrict the device remembering mechanism, for example, to specific networks or corporate devices.

Waldemar Korłub explains:

"We can limit this mechanism, for example, to computers within the local network—if users connect via the corporate VPN, we can recognize company-owned devices and enable the trusted devices option for them."

Thanks to such solutions, organizations can prevent users from assigning trusted status to personal devices that are beyond their control.

Trusted Devices in Keycloak – Key Takeaways

- Trusted Devices Help Simplify Login but Require Proper Security Measures
  The trusted devices mechanism in Keycloak allows users to skip certain authentication steps, such as entering a 2FA code. While this is a convenient solution that streamlines daily operations, it also requires the implementation of appropriate security measures. It is essential to define the validity period of a trusted device and monitor changes in login behavior to prevent misuse.

- Administrators Can Control the Trusted Device Access Policy
  Not every device should be marked as trusted, which is why administrators can restrict this feature to corporate computers or require a VPN connection. This helps prevent situations where a user assigns trusted status to a personal computer that the organization cannot control.

- Device Management Panel Enhances Security
  To give users greater control over their sessions, it is beneficial to implement a panel that allows them to review and remove trusted devices. This way, in case of device loss or suspected unauthorized access, users can quickly revoke granted permissions.

- The Ability to Remove a Device Protects Against Account Takeover
  If a device is lost or stolen and the system does not require additional authentication, an attacker could gain access to the user’s account. That’s why it is crucial to allow the removal of trusted devices at any time and enforce reauthentication. This approach provides greater flexibility while reducing the risk of unauthorized account access.

When Should You Use the Trusted Devices Feature in Keycloak?

The trusted devices feature in Keycloak enhances login convenience while maintaining a high level of security. This functionality is particularly useful in corporate environments and BYOD (Bring Your Own Device) models, where users regularly log in from the same devices.

Marking a device as trusted reduces the number of two-factor authentication (2FA) prompts, extends session duration, and allows for dynamic security policy adjustments, such as requiring reauthentication for suspicious logins. This approach helps mitigate the risk of account takeover—even if an attacker obtains a password and 2FA code—since logging in from a new device may trigger additional verification.

Implementing trusted devices in Keycloak enables organizations to strike a balance between security and user convenience.

The trusted devices mechanism in Keycloak enhances login convenience without significantly compromising cybersecurity. Proper implementation of the device remembering policy in Keycloak helps balance system security and user experience.

However, administrators should ensure that mechanisms are in place for managing the list of trusted devices and enforcing periodic verification of their status to mitigate potential security risks.

We will help you implement Keycloak

Want to implement Keycloak or add new functionalities? Schedule a meeting to explore the possibilities.

Schedule a meeting

Artykuł Trusted devices in Keycloak pochodzi z serwisu Inero Software - Software Consulting.

Behind the Scenes #2: Implementing email-based MFA in Keycloak

Marceli Formela — Thu, 13 Feb 2025 09:50:32 +0000

Keycloak natively supports many secure login solutions and comes with built-in one-time password (OTP) mechanisms, such as authentication via mobile apps like Google Authenticator or our solution AuthM8. However, if we want to use other advanced authentication methods and for example send OTP codes via email, then similar to SMS multi factor authentication (more details HERE), we need to implement this functionality ourselves. In this post, we’ll explore a custom MFA implementation that sends a one-time authentication code to the user’s email.

How does email-based MFA work?

The authentication process consists of two main stages:

- Generating and sending the MFA code

If the user already has an active cookie confirming a previous MFA verification, they should be immediately authenticated. Otherwise, Keycloak creates a new credential for the user and generates a one-time code based on configurable parameters like length or time-to-live. The code is stored in the user’s credentials and then is emailed using the email provider.

- Verifying the entered code

When a user submits the code, KC retrieves the stored credential and compares the entered value. If the code is correct and still valid (not expired), authentication is successful, and a cookie is set to remember the verification. If the code is incorrect, the user is prompted to re-enter it and if the code has expired, an error message is shown and the process must be restarted.

Email MFA: Pros and Cons

Email-based MFA offers additional security when the primary factor, such as a password, has been compromised. This is particularly helpful in cases where passwords are brute-forced or easily guessed, such as with common combinations like 123456. Similarly, this solution offers protection against credential stuffing, where attackers use leaked passwords from other breaches to attempt logging into account.

There are several other benefits to using email as a MFA:

- Email MFA does not require users to provide additional sensitive information, such as a phone number, reducing concerns about privacy.

- It does not require users to install a separate app or complete a complicated setup, which simplifies the process.

- Users are accustomed to providing their email for various purposes, such as receiving important account updates or resetting passwords. This familiarity makes it more accessible.

However, email as a delivery channel does have some drawbacks. If an attacker compromises your email (gains access to an email account through stolen credentials or by exploiting an active session.), they could potentially reset other accounts’ passwords as well. For users in vulnerable situations, such as those with access to shared devices, email-based MFA can still leave them exposed. As with any security measure, it’s essential to weigh the benefits against the potential risks and mix email MFA with other safeguards, such as strong passwords policy and secure email practices.

Implementing Email MFA

In this modified Browser Authentication Flow, we integrate our custom MFA as an additional authentication method. There are two new steps:

- MFA Email setup – this step ensures that email is set up and verified for the user before proceeding. If the user does not have a custom MFA Credential (which stores OTP codes as secrets), it will be set as well.

public class MfaEmailSetupAuthenticator implements Authenticator, CredentialValidator {
@Override
public void authenticate(AuthenticationFlowContext context) {
[…]
// Require email verification
if (!userModel.isEmailVerified()) {
userModel.addRequiredAction(UserModel.RequiredAction.VERIFY_EMAIL);
}
// Add MFA email credential if not present
if (!getCredentialProvider(context.getSession()).isConfiguredFor(realmModel, userModel, MfaEmailCredentialModel.TYPE)) {
userModel.credentialManager().createStoredCredential(new MfaEmailCredentialModel(new MfaEmailCredentialData()));
}
[…]

- MFA Email Authentication – this is the actual authentication step where a one-time code is sent via email. Marked as Alternative, meaning it can be used instead of other MFA methods like mobile app OTP.

Here, you can see how the configuration of this authenticator could look like in the Keycloak authentication flow.

- Max Cookie Age this setting determines how long the MFA session (cookie) is valid. If the cookie is still valid, the user won’t be prompted for MFA.
- Time-to-live indicates the lifetime of the MFA code.

Now let’s take a look at the code.

The method below handles the MFA process itself. If a valid cookie exists (indicating that the user has already completed MFA), the method immediately returns success, meaning the authentication flow is complete without requiring additional actions.

@Override
public void authenticate(AuthenticationFlowContext context) {
if (hasValidCookie(context)) {
context.success();
return;
}
[…]

If there is no cookie, we should try to retrieve the user’s existing MFA credential from the credential provider. If the user doesn’t have one, a new instance is created using the MfaEmailCredentialModel which just extends the built-in CredentialModel:

[…]
// get existing credential or create a new one
CredentialModel credentialModel = getCredentialProvider(session)
.getDefaultCredential(session, context.getRealm(), user);
if (credentialModel == null) {
credentialModel = user.credentialManager().createStoredCredential(new MfaEmailCredentialModel(new MfaEmailCredentialData()));
}
[…]

Then the authenticate method reads configuration properties like code length and TTL (time-to-live). The code itself can be generated using some utils method and will be stored as the secretData in the credential model.

// generate and store code
int length = Integer.parseInt(configMap.get(CONFIG_CODE_LENGTH));
int ttl = Integer.parseInt(configMap.get(CONFIG_CODE_TTL));
String code = MfaEmailCodesUtils.generateCode(length);
credentialModel.setSecretData(code);
user.credentialManager().updateStoredCredential(credentialModel);
AuthenticationSessionModel authSession = context.getAuthenticationSession();
authSession.setAuthNote("ttl", Long.toString(System.currentTimeMillis() + (ttl * 1000L)));

In the end the sendCode method is called to send the generated code to the user’s email. If the email is sent successfully, the method presents the form where the user can enter the MFA code.

// send email and show input form
try {
MfaEmailCodesUtils.sendCode(session, user, ttl, code, configMap);
context.challenge(context.form().setAttribute("realm", context.getRealm()).createForm(TPL_CODE));
} catch (Exception e) {
context.failureChallenge(AuthenticationFlowError.INTERNAL_ERROR,
context.form().setError("mfaEmailNotSent", e.getMessage())  .createErrorPage(Response.Status.INTERNAL_SERVER_ERROR));
}

The second major part of our Authenticator is the action method which handles the validation of the code entered by the user. It is invoked when the user submits the input form after receiving the email.

The method retrieves the user’s credential from the provider and then the code is validated by checking it against the stored credential using the custom isValid method.

[…]
final MfaEmailCredentialModel credentialModel = getCredentialProvider(session)
        .getDefaultCredential(session, context.getRealm(), user);
boolean isValid = getCredentialProvider(session).isValid(context.getRealm(), user,
     new UserCredentialModel(credentialModel.getId(), getCredentialProvider(context.getSession()).getType(), enteredCode));
[…]

If the code is valid, the next step is to check if it is expired. We can also set a cookie that stores the MFA session to prevent the user from being prompted for MFA again during the cookie’s validity period.

[…]
// valid
HttpResponse response = context.getSession().getContext().getHttpResponse();
response.setCookieIfAbsent(createCookie(context));
context.success();
[…]

Of course, in this post, we will not cover the entire topic, omitting implementation details such as sending the code, generating the code, validation, and creating our custom cookie.

However, we have walked through the major steps of implementing 2FA using email-based codes. On the one hand, this approach offers a simple and accessible solution. Although it has its drawbacks, using it in solutions like Keycloak helps mitigate many of these vulnerabilities. Keycloak also provides the flexibility to combine email-based MFA with other security measures, creating a more layered and resilient authentication process that can help protect against evolving cybersecurity threats.

Do you need help configuring multi-factor authentication?

Schedule a meeting to find out how we can help you.

Schedule a meeting

Artykuł Behind the Scenes #2: Implementing email-based MFA in Keycloak pochodzi z serwisu Inero Software - Software Consulting.

Security Information and Event Management Systems: Why Is It Worth Adding Keycloak?

Marta Kuprasz — Thu, 06 Feb 2025 10:15:42 +0000

Security Information and Event Management (SIEM) systems enable the collection and analysis of data on user activity, system access, and cybersecurity events to detect threats and respond to incidents in real time. Identity and Access Management (IAM) systems, in turn, provide insights into user activity. In this blog, you’ll learn how Keycloak can support your SIEM system.

In the Report on the State of Cybersecurity in Poland for 2023 prepared by CSIRT GOV, it was indicated that among the threats persisting in the Polish cyberspace in 2023, which had a significant impact on risk assessment, social engineering attacks and brute-force attacks were particularly notable. Social engineering attacks involve manipulating users to gain unauthorized access to systems, while brute-force attacks rely on automatically attempting various password combinations to break security measures.

Proper identity management and log monitoring are key elements in protecting against such attacks. This is why integrating Keycloak with a SIEM system allows organizations to detect threats more effectively and respond to them immediately.

Why Is It Worth Integrating SIEM with Keycloak?

Every organization using a SIEM system aims to detect as many threats as possible and respond to incidents as quickly as possible. Information about who attempted to access systems, from where, and when can be crucial in identifying attacks and unauthorized login attempts. This is where Keycloak—a popular open-source IAM platform—can significantly enhance the SIEM ecosystem by providing valuable data on authentication, authorization, and session management processes.

Keycloak, developed by the Red Hat community, offers comprehensive solutions for authenticating and authorizing users in web applications, mobile apps, and backend services. We’ve covered it in detail https://inero-software.com/keycloak-services/

Keycloak can provide data on:

Login attempts – both successful and failed, along with information about the originating IP address.
Forced password resets and changes in access policies – allowing for monitoring of potential account takeover attempts.
User sessions – including unusual logins from new locations or devices.
Detected threats, such as suspicious multiple login attempts (e.g., brute-force attacks, which involve cracking passwords or cryptographic keys by trying all possible combinations).

The SIEM system, in turn, can analyze this data and correlate it with other events, such as:

Login attempts from unusual locations linked to suspicious network activity.
Multiple failed login attempts from a single IP address – a sign of a brute-force attack.
Sudden changes in user privileges associated with suspicious system access.

An example of effective integration can be seen in a situation where a user repeatedly enters an incorrect password within a short period. Keycloak logs this as suspicious activity. A SIEM system can then correlate this data with login attempts from different locations and take action, such as temporarily blocking the account or enforcing additional authentication.

How Do Keycloak and SIEM Work Together?

Keycloak and Security Information and Event Management (SIEM) systems serve different purposes in identity management and IT security, but they complement each other perfectly.

Feature	SIEM (Security Information and Event Management)	IAM (Identity and Access Management – Keycloak)
Main Function	Monitoring and analyzing security events	Managing user identities and access
Scope of Operation	Log collection, incident analysis, threat detection	Authentication, authorization, access control
Types of Data	System logs, network traffic, security alerts	User sessions, authentication logs, authorization requests
Mode of Operation	Aggregation and correlation of events from multiple sources	Verification of user identities and permissions
Primary Uses	Anomaly detection, incident response, compliance	Single Sign-On (SSO), identity federation, MFA
Examples of Threats	DDoS attacks, malware, privilege escalation	Brute-force attacks, account takeover, privilege misuse
Response to Threats	Alert generation, automatic blocking, reporting	Account blocking, enforcing MFA, session management
Integration with Other Systems	Yes – collects logs from SIEM systems, IDS, firewalls	Yes – integrates with LDAP, AD, databases, SIEM

How to Implement Keycloak?

Integrating Keycloak with a SIEM system enhances IT security by providing additional information about users and their activities. This allows organizations to detect threats more effectively and respond to incidents more quickly.

If you’re wondering how to implement and configure Keycloak for your organization, be sure to check out these articles:

These resources provide practical guidance on configuring and integrating Keycloak with various systems. Importantly, one of Keycloak’s key features is its ability to integrate with Lightweight Directory Access Protocol (LDAP) directories, which we covered in detail here: Exporting accounts to federated realms: A guide to Keycloak and LDAP Integration

There are many SIEM solutions available on the market, so it’s worth conducting a security audit within your organization before making a decision. Identifying potential vulnerabilities will help guide the selection and implementation of an appropriate incident management system, enhanced with Keycloak integration, to better monitor threats and strengthen data protection across your organization.

Do You Want to Implement Keycloak?

Benefit from our experience. We have completed numerous implementations for SMEs and large organizations. We’d be happy to discuss potential collaboration opportunities.

Schedule a Meeting

Artykuł Security Information and Event Management Systems: Why Is It Worth Adding Keycloak? pochodzi z serwisu Inero Software - Software Consulting.

Behind the Scenes: Custom SMS Authenticator with Keycloak

Marceli Formela — Fri, 14 Jun 2024 10:29:52 +0000

With the increasing number of cyber threats, multi-factor authentication (MFA) has become a standard security measure. MFA enhances protection by requiring users to verify their identity through multiple methods. In today’s digital world MFA has become a standard security practice, adding an extra layer of protection by requiring users to provide multiple forms of verification.

Among the various advanced authentication methods, SMS-based authentication stands out for its balance of security and user convenience. However, sometimes creating a custom SMS authenticator within an identity provider like Keycloak can be a complex and nuanced process, demanding an understanding of its architecture and extensibility.

Service Provider Interface (SPI)

Keycloak aims to address the majority of use cases without forcing you to create custom code. However, it also offers flexibility for customization. To support this, Keycloak provides several SPIs that allow you to implement your own solutions. We are going to implement an authenticator that requires a valid SMS code. To create this feature, we must at least implement the org.keycloak.authentication.AuthenticatorFactory and Authenticator interfaces. The AuthenticatorFactory is responsible for creating instances of an Authenticator. They both extend a more generic Provider and ProviderFactory set of interfaces that other Keycloak components do.

Packaging classes

We will package our classes within a single project. It must contain a file named org.keycloak.authentication.AuthenticatorFactory and must be contained in the META-INF/services/ directory. This file must list the fully qualified class name of each AuthenticatorFactory implementation you have in the jar. For example:

pl.inero.keycloakext.authenticator.sms.SmsAuthenticatorFactory
pl.inero.keycloakext.authenticator.custom.CustomUsernamePasswordFormFactory
pl.inero.keycloakext.authenticator.custom.CustomCookieAuthenticatorFactory

This services/ file is used by Keycloak to scan the providers it has to load into the system.

CredentialModel and CredentialProvider

The first step is to configure our Credential related classes since the user’s phone number should be stored as credential record. As you can see below, the Sms2faCredentialData class is a straightforward data container for storing the phone number associated with the user.

public class Sms2faCredentialData {

private String phoneNumber;

@SuppressWarnings("unused") //used for credentials deserialization
public Sms2faCredentialData() {
}

public Sms2faCredentialData(String phoneNumber) {
     this.phoneNumber = phoneNumber;
}

public String getPhoneNumber() {
     return phoneNumber;
}

@SuppressWarnings("unused") //used for credentials deserialization
public void setPhoneNumber(String phoneNumber) {
     this.phoneNumber = phoneNumber;
}
}

The next step is to extend the CredentialModel class that can generate the correct format of the credential in the database. For the Sms2faCredentialModel objects to be fully functional, they need to encompass not only the raw JSON data inherited from their parent but also encapsulate the unmarshalled objects within their own attributes. This ensures wide accessibility and utilization of the credentials, providing easy integration and handling of authentication processes.

public class Sms2faCredentialModel extends CredentialModel {

public static final String TYPE = "sms2fa";
private Sms2faCredentialData smsCredentials;

public Sms2faCredentialModel(Sms2faCredentialData smsCredentials) {
     try {
         this.smsCredentials = smsCredentials;
         setCredentialData(JsonSerialization.writeValueAsString(smsCredentials));
         setUserLabel("tel: " + smsCredentials.getPhoneNumber());

         setType(TYPE);
     } catch (IOException e) {
         throw new RuntimeException(e);
     }
}

public String getPhoneNumber() {
     return smsCredentials.getPhoneNumber();
}
}

Similar to other providers within Keycloak, the creation of the CredentialProvider requires the presence of a corresponding CredentialsProviderFactory. In meeting this requirement, we implement the Sms2faCredentialProviderFactory requirement, we implement the Sms2faCredentialProviderFactor

public class Sms2faCredentialProviderFactory  implements 
CredentialProviderFactory {

public static final String PROVIDER_ID = "keycloak-ext-sms2fa";

@Override
public String getId() {
     return PROVIDER_ID;
}

@Override
public CredentialProvider create(KeycloakSession session) {
     return new Sms2faCredentialProvider(session);
}
}

The CredentialProvider interface is structured with a generic parameter that extends a CredentialModel, ensuring compatibility across a spectrum of credential types. Additionally, we need to implement the CredentialInputValidator interface, indicating to Keycloak that this provider is equipped to authenticate credentials for our custom Authenticator. Although we won’t dive into the full architecture here, Keycloak documentation covers additional methods.

Our implementation includes functionalities to create and delete credentials. These functionalities use the credential manager, responsible for the storage and retrieval of credentials, whether they’re stored locally or within federated storage systems.

@Override
public CredentialModel createCredential(RealmModel realm, UserModel user, Sms2faCredentialModel credentialModel) {
if (credentialModel.getCreatedDate() == null) {
     credentialModel.setCreatedDate(Time.currentTimeMillis());
return user.credentialManager().createStoredCredential(credentialModel);
}

@Override
public boolean deleteCredential(RealmModel realm, UserModel user, String credentialId) {
logger.debugv("Delete Sms2fa credential. username = {0}, credentialId = {1}", user.getUsername(), credentialId);
return user.credentialManager().removeStoredCredentialById(credentialId);
}

For the CredentialInputValidator, the main method to implement is the isValid, which tests whether a credential is valid for a given user in a given realm. This is the method that is called by the Authenticator when it seeks to validate the user’s input.

@Override
public boolean isValid(RealmModel realm, UserModel user, CredentialInput credentialInput) {
final Sms2faCredentialModel credentialModel = getDefaultCredential(session, realm, user);
final String secretData = credentialModel.getSecretData();
return secretData != null && secretData.equals(credentialInput.getChallengeResponse());

Now we should have everything to be able to move on to implementing the authenticator itself.

AuthenticatorFactory and Authenticator

The SmsAuthenticatorFactory class encapsulated the logic needed to configure and create instances of the SmsAuthenticator, which performs SMS-based OTP validation. It supports customization through several configurable properties.

supports customization through several configurable properties.
public class SmsAuthenticatorFactory implements AuthenticatorFactory {

@Override
public String getId() {
     return "sms-authenticator";
}

@Override
public String getDisplayType() {
     return "SMS Authentication";
}
@Override
public String getHelpText() {
     return "Validates an OTP sent via SMS to the users mobile phone.";
}
     (…)
}

Now let’s dive into the Authenticator itself. The primary method to focus is sendChallenge(). When the flow is initially triggered, this method is invoked. It’s important to notice that it doesn’t handle the processing of the SMS code form. Rather, its role is to either render the page or continue the flow.

The HTML page requesting the received code is presented to the user, who then inputs the code and submits it. Then an HTTP request is sent to the flow via the action URL specified in the HTML form. This triggers the action() method within our Authenticator implementation. If the provided code is invalid, we reconstruct the HTML Form, appending an error message. Following this, we utilize failureChallenge(), passing the reason for the failure. It operated similarly to challenge(), but additionally logs the error, helping to detect any attack possibility.

private void sendChallenge(AuthenticationFlowContext context) {
(…)
credentialModel.setSecretData(code);
user.credentialManager().updateStoredCredential(credentialModel);
AuthenticationSessionModel authSession = context.getAuthenticationSession();
authSession.setAuthNote("ttl", Long.toString(System.currentTimeMillis() + (ttl * 1000L)));

try {
     /* sending SMS */
     context.challenge(context.form().setAttribute("realm", context.getRealm()).createForm(TPL_CODE));
} catch (Exception e) {
     context.failureChallenge(AuthenticationFlowError.INTERNAL_ERROR,
             context.form().setError("smsAuthSmsNotSent", e.getMessage())
                     .createErrorPage(Response.Status.INTERNAL_SERVER_ERROR));
}
}

@Override
public void action(AuthenticationFlowContext context) {
(…)
final Sms2faCredentialModel credentialModel = getCredentialProvider(session).getDefaultCredential(session, context.getRealm(), user);
boolean isValid = getCredentialProvider(context.getSession()).isValid(context.getRealm(), context.getUser(),
       new UserCredentialModel(credentialModel.getId(), getCredentialProvider(context.getSession()).getType(), enteredCode));
if (isValid) {
     if (Long.parseLong(ttl) < System.currentTimeMillis()) {
         // expired
         context.failureChallenge(AuthenticationFlowError.EXPIRED_CODE,

                 context.form().setError("smsAuthCodeExpired").createErrorPage(Response.Status.BAD_REQUEST));
     } else {
         // valid
         context.success();
     }
} else {
     context.getEvent().user(user).error(Errors.INVALID_USER_CREDENTIALS);
     context.failureChallenge(AuthenticationFlowError.INVALID_CREDENTIALS,
             context.form().setAttribute("realm", context.getRealm())
                     .setError("smsAuthCodeInvalid").createForm(TPL_CODE));
}
}

Authentication Flow

To add an Authenticator into a flow, administrators must navigate to the Console. By accessing the Authentication section and navigating to the Flow tabs, they should see existing flows. Built-in flows cannot be directly modified, so to integrate the newly created Authenticator, we need to either duplicate an existing flow or create a new one from scratch.

Required actions

If the phone is not set up, we should trigger a custom required action. Again, we should add the fully qualified class name to the META-INF/services directory and implement RequiredActionProvider interface. Method requiredActionChallenge() is responsible for rendering the HTML that will drive the required action.

@Override
public void requiredActionChallenge(RequiredActionContext context) {
LoginFormsProvider form = context.form();
if (getSmsAuthenticatorConfig(context) == null) {
     form.setError("smsAuthMissingAuthenticatorConfig");
}
final Response response = form.createForm("sms-2fa-register.ftl");
context.challenge(response);
}

This part is responsible for processing input from the HTML form of the required action. After entering the received SMS code, the phone number should be saved in the database as a credential. The next time we log in, we will be able to use this form of OTP.

@Override
public void processAction(RequiredActionContext context) {
    (…)
final String phoneNumber = params.getFirst("phoneNumber");
final String code = params.getFirst("code");

if(StringUtils.isBlank(phoneNumber) && StringUtils.isBlank(authSession.getAuthNote("phone_number"))) {
     //if no phone number is set, redirect to the first page
     requiredActionChallenge(context);
     return;
}
if (phoneNumber != null) {
     sendPhoneNumberVerificationChallenge(context, authSession, phoneNumber, smsAuthenticatorConfig.getConfig());
     return;
}
if (code != null) {
     /* verify provided SMS code */ 
    }
}

The final thing you have to do is go into the Admin Console and Required Actions tab. Your new action should now be displayed and enabled in the required actions list.

If the user hasn’t provided a phone number before and SMS authenticator is set up as required in the Authentication Flow, a new view should appear.

In summary. configuring SMS MFA involves setting up custom required actions and authenticator providers, but of course, there are other things to cover like Keycloak <-> SMS gateway communication. What we looked at in this post is of course only part of the possible configuration, but the most important and Keycloak-specific one.

One of the significant advantages of SMS MFA implementation is its widespread accessibility, as most users already have mobile phones capable of receiving SMS messages. Additionally, it provides a straightforward user experience, requiring minimal setup and familiarity for users. However, this mechanism does have its drawbacks, including potential vulnerabilities such as SIM swapping attacks or interception of SMS codes. Moreover, SMS delivery can sometimes be unreliable, leading to delays or failed delivery, impacting the user experience. We should be aware of this before we decide on such a method, especially in the era of newer solutions like mobile-app OTP.

Artykuł Behind the Scenes: Custom SMS Authenticator with Keycloak pochodzi z serwisu Inero Software - Software Consulting.

Step-by-Step Guide to Enabling Multi-Factor Authentication (MFA) in Keycloak

Marceli Formela — Wed, 05 Jun 2024 09:51:42 +0000

In today’s digital age, the importance of securing online resources has never been greater. As these threats continue to evolve, the traditional method of relying on passwords has proven insufficient in protecting sensitive information. This escalation underscored the necessity for more sophisticated security measures, leading to the widespread adoption of Multi-Factor-Authentication (MFA). In this blog post, we will explore still growing online threats and how MFA serves as a defense mechanism for our applications.

What is MFA?

Multi-Factor Authentication (MFA) enhances the security of your applications by requiring users to provide multiple forms of identification before granting access. Of course, tools like Keycloak support MFA and allow administrators to configure it with ease. This guide offers a detailed, step-by-step procedure to enable MFA in Keycloak, ensuring that your user authentication processes are more secure.

MFA is designed to protect users against the vulnerabilities associated with single-factor authentication, where a user only needs to provide one form of authentication, typically a password. MFA adds layers of security by requiring users to present multiple pieces of evidence (factors) that confirm their identity.

Authentication factor user in MFA are typically categorized into three types:

Knowledge Factors (something you know)

- Passwords
- PINs
- Security questions

Possession Factors (something you have)

- OTP (One-Time Password) generated by an authenticator app
- SMS codes
- Email codes
- Hardware tokens

Inherence Factors (something you are)

- Biometric verification (facial recognition, fingerprint etc.)

The first step is always initial authentication, when the user enters username and password (so called knowledge factor). After the initial authentication, the user is prompted to provide a second form of authentication and this could be an OTP sent to the phone, a biometric scan, or another form of possession/inherence factor. If both factors are successfully verified, the user is granted access to the application. Now let’s take a look at a few example types of authentication and their pros/cons.

Email-based OTP

In this method, a temporary code is sent to the user’s registered email address, which they must enter to complete the login process. Users receive the OTP directly in the email and it does not require to install or configure any additional apps. But we should remember that email accounts can be compromised, and intercepted emails could be a significant security risk.

SMS-based OTP

Receiving an OTP via SMS is straightforward and familiar to most users, also requiring no additional app installation. It should work on any mobile phone, making it accessible to a broader range of users. But they can be also vulnerable to interception and SIM swapping attacks, making them less secure compared to other methods. SMS delivery can also be delayed or even fail due to network issues. We’ll take a closer look at its pros and cons in the next post which covers custom authenticator development.

Push notifications

Push notifications involve sending a real-time alert to a user’s registered mobile device, asking them to approve or deny an authentication attempt. Users are instantly notified of any login attempts, allowing them to quickly respond to any unauthorized access attempts. They also do not need to enter a one-time password (OTP), which simplified the authentication process. This method of course requires an active internet connection. But remember that infected devices could potentially compromise the security of this feature and that users basically need to be educated about recognizing legitimate push notifications to avoid accidental approvals of attack attempts.

OTP via Authenticator Apps

OTPs generated by authenticators like Google are highly secure as they are time-based and difficult to predict. They can generate OTPs without an internet connection, making them reliable even when users are offline. In this case, users need to have access to their mobile device to generate the OTP and initial setup very often requires scanning a QR code and configuring authenticator app, which might be challenging for non-technical users.

How to configure OTP (via mobile authenticator) in Keycloak

Now we can go to the Keycloak console and try to set up some basic OTP in our realm. Before attempting to enable MFA in Keycloak, ensure you have a running instance of Keycloak, administrative access to the server, and a basic understanding of realm, client, user management concepts from previous posts.

Step 1: OTP Policy

From the side menu select the realm where you want to enable MFA. In the realm settings, navigate to the Authentication section and select the OTP Policy tab. Configure settings according to your security requirements. You can select default values that are provided by the server.

Step 2: Required actions

In the Authentication settings, go to the Required Actions tab. Now you can activate OTP as default action for every new user.

Therefore, we have already configured MFA and each newly registered user will have to use it. Of course, this configuration could be modified through in-the-app account settings so that users only use MFA if they specifically request it.

As we can see, MFA is a powerful tool for protecting sensitive information and enhancing the security of web applications. By requiring multiple forms of verification, it makes it significantly harder for unauthorized users to access accounts and systems, mitigating risks associated with password-only authentication. Implementing this mechanism is surely helping organizations comply with regulations and protect against still-evolving web threats.

In the next article, we will take a closer look at a custom SMS authenticator for Keycloak, exploring its pros and cons.

Artykuł Step-by-Step Guide to Enabling Multi-Factor Authentication (MFA) in Keycloak pochodzi z serwisu Inero Software - Software Consulting.

Best Practices in Keycloak: Secure Your System in 5 Steps

Marta Kuprasz — Mon, 13 May 2024 13:55:51 +0000

Keycloak is a tool for managing identity and access that ensures the security of applications and web services. To maximally secure your environment using it, it’s important to implement best practices. Here are 5 key steps that will help you in this process.

Enable HTTPS and Use Strong Certificates

The first and most crucial step is to ensure all communication with the Keycloak server is done through the secure HTTPS protocol. Using SSL/TLS certificates from trusted providers protects against data interception and manipulation.

In this step:

- Configure the Keycloak Server: Set the server to use only HTTPS, rejecting all unencrypted HTTP requests.
- Update Certificates: Regularly renew and update SSL/TLS certificates to avoid the risk of exploiting outdated keys.

Implement Multi-Factor Authentication (MFA)

This feature adds a layer of security by simultaneously using multiple methods to verify a user’s identity. 2FA (Two-Factor Authentication) is a popular form of MFA that often requires users to enter a password and confirm their identity with a second factor, such as a code from an authentication app.

In this step:

- Activate Multi-Factor Authentication in Keycloak: Enable MFA for all users, especially those with administrative access and access to sensitive data.
- Choose Authentication Methods: Keycloak supports various MFA methods; commonly used ones include authentication apps (e.g., Microsoft Authenticator).

Read also:

Implement strong password policies and session management

Password and session management are key to protecting user identities and preventing unauthorized access. They are the first line of defense against attacks such as brute force or phishing. Keycloak provides a wide range of configurable password policy settings from the administrative console.

In this step:

- Configure the password policy: Set precise rules for password selection to require specific lengths, complexity (e.g., the presence of special characters, uppercase and lowercase letters), and define the password’s lifespan and history.
- Limit session lifespan: Set short but practical session and token lifespan to minimize the window for potential attacks. Automatically logging out users after a specified period of inactivity is important for preventing accidentally leaving sessions open on shared or public devices.

Read also:

- An introduction to Passkey with Keycloak
- Hands-On Keycloak SSO: From Setup to Integration

Secure API endpoints and use Role-Based Access Control (RBAC)

Role-Based Access Control (RBAC) allows for defining roles, assigning them to users, and managing permissions, enabling control over API operations depending on the role.

In this step:

- Securing API endpoints: To secure API endpoints, it is crucial to apply appropriate authorization and authentication mechanisms:
- Authentication: Implement authentication protocols such as OAuth 2.0 and OpenID Connect, so users and applications must prove their identity before gaining access to the API. Access tokens: Use access tokens, which contain information about user permissions, to verify access rights to various API resources. HTTPS: Ensure that all requests to the API are sent over HTTPS, protecting data from interception and modification. Role-Based Access Control (RBAC): Role-Based Access Control allows for managing user permissions based on their roles in the organization:
- Defining roles: Establish roles that reflect different access levels in the application, e.g., administrator, user, guest, etc. Assigning roles: Assign roles to users that specify which resources and operations they can access. Managing permissions: Configure access policies in Keycloak to control which operations can be performed by users with a given role at specific API endpoints.

Read also:

Regularly update and monitor the environment

Updating and continuously monitoring the Keycloak environment is essential to maintain high protection against new threats and security vulnerabilities. Keycloak updates appear every few months, and information about them can be found on the official project website or in the Keycloak documentation.

In this step:

- Updates: Regularly update Keycloak to the latest stable versions.
- Monitoring and logging: Use monitoring tools to track any unusual behavior and respond quickly to potential security incidents. Set up logging systems to collect key information about system operation. For example, using Kubernetes, you can efficiently manage and scale monitoring and logging tools such as Prometheus and ELK Stack. Kubernetes facilitates the deployment and management of containers with these tools, automating their deployment, scaling, and repair, which is crucial for maintaining continuity of operation and security in distributed systems.
- Choose a proven partner: If implementing Keycloak best practices seems like a labor-intensive process that will heavily burden your team at this stage, seek help from specialists in this field.

Read also:

Inero Software has extensive experience in implementing advanced cybersecurity solutions. We create comprehensive systems for managing users and their roles, tailored to complex IT infrastructures and meeting high corporate standards. Our team, consisting of cybersecurity experts, implements advanced authorization schemes in accordance with renowned security standards. Thanks to our knowledge and experience, we provide effective protection against threats and compliance with corporate security policies.

Artykuł Best Practices in Keycloak: Secure Your System in 5 Steps pochodzi z serwisu Inero Software - Software Consulting.