Blog / Tutorials

Using Email OTP Keycloak Extension with Skycloak

George Thomas George Thomas Updated March 15, 2026 3 min read
Keycloak custom extensions

Last updated: March 2026

Introduction

Keycloak is a popular, free, open-source Identity and Access Management (IAM) product. However, enterprises often face challenges in installing, maintaining, and scaling Keycloak to meet production-grade requirements.

Skycloak provides managed Keycloak hosting in the cloud, helping organizations overcome these challenges in a cost-effective way. It offers multiple plans supporting features such as high availability, custom domains, and more. See our pricing page for plan details.

Keycloak, being open source, can be customized using extensions.

In this article, we will see how to use the Email OTP custom extension with Skycloak to enhance your multi-factor authentication setup.

Using extensions with Skycloak

The Skycloak Console comes with a set of freely available custom extensions that can be easily installed and configured.

By default, Keycloak does not include an option to use email-based OTP (One-Time Password) for multi-factor authentication (MFA).

Let’s look at how to use a free extension in Skycloak to enable this functionality.

First, ensure that you have created a cluster and a realm for your organization in the Skycloak Console and selected them from the left pane. For detailed instructions, refer to the Skycloak documentation.

Next, configure the Email server so that your Skycloak cluster can send emails. The Skycloak Console provides clear instructions for this under Console -> Email, so we won’t go into detail here.

Installing the Extension

In the Skycloak Console’s left pane, there is an Extensions menu. You’ll find a number of free extensions there.

We’ll focus on the Email OTP Authenticator, which can be installed with a single click. Once installed, the console will display it.

More details on this plugin are available in the email-otp-authenticator GitHub repository.

Configuring the Authentication Flow

Now, we want to enable Email OTP as the second factor for browser authentication.

  1. Go to the Keycloak Console and select the realm you created earlier.
  2. Navigate to Authentication -> Flows in the left pane.
  3. Duplicate the existing Browser flow — for example, name it browser-email.
  4. In the duplicated flow, click the plus (+) button and choose Add Extension -> Email OTP Form.
  5. Position it at the bottom.

For more information on configuring authentication flows in Keycloak, see the Keycloak Authentication Flows documentation.

Note: Selecting the gear button to the right of the Email OTP form gives additional customization options. We have not covered them in this blog.

Ensure the Conditional OTP is set to CONDITIONAL (default).

Disable the default OTP form and instead enable the Email OTP Form, marking it as REQUIRED.

This ensures that if the user has an email configured, the second-factor authentication via email OTP will be triggered.

Once configured, mark the new browser-email flow as the current flow using the Actions menu in the top-right corner.

Verification

To verify your setup:

  1. Log in to your realm with a user account that has a valid email configured.
  2. After entering the username and password, you should see the Email OTP prompt.

An email containing the OTP will be sent to the user’s registered email address. The user can then enter the OTP to complete authentication.

(Note: The footer displayed in the prompt window can be optionally disabled in the launch plan using the Branding option.)

Summary

In this article, we explored how to enable Multi-Factor Authentication (MFA) in Keycloak using the Email OTP extension available with Skycloak. This integration helps enhance account security with an additional verification step beyond passwords.

For other approaches to strengthening authentication, see our guide on implementing single sign-on or explore additional Keycloak configuration options with the Keycloak Config Generator.

Skycloak offers many more advanced features for managing and securing your Keycloak environment, including audit logs and session management.

If you’re new to Skycloak, visit the Skycloak Getting Started Guide to learn how to set up and make the most of its Keycloak extensions.

George Thomas
Written by George Thomas IAM Engineer

George is an IAM engineer with 23+ years in software engineering, including 14+ years specializing in identity and access management. He designs and modernizes enterprise IAM platforms with deep expertise in Keycloak, OAuth 2.0, OpenID Connect, SAML, and identity federation across cloud and hybrid environments. Previously at Trianz and a long-term contributor to Entrust IAM product engineering, George authors Skycloak's technical Keycloak tutorials.

View all posts

Ready to simplify your authentication?

Deploy production-ready Keycloak in minutes. Unlimited users, flat pricing, no SSO tax.

Start Free Trial Talk to Sales

Related Articles

Tutorials NestJS Authentication with Keycloak: Complete Guide March 21, 2026 · 9 min read
Tutorials Django REST Framework Authentication with Keycloak March 20, 2026 · 11 min read
Tutorials Keycloak + Go: Build Secure APIs with gocloak March 19, 2026 · 9 min read
© 2026 Skycloak. All Rights Reserved. Design by Yasser Soliman