Multi-Factor Authentication Setup

Multi-Factor Authentication (MFA) adds an extra layer of security by requiring users to provide multiple forms of verification. This guide covers setting up various MFA methods in Skycloak.

Overview

MFA requires users to provide two or more verification factors:

Something you know (password)
Something you have (phone, hardware token)
Something you are (biometrics)

Available MFA Methods

Time-Based One-Time Password (TOTP)

The most common MFA method using authenticator apps.

Supported Apps:

Google Authenticator
Microsoft Authenticator
Authy
1Password
LastPass Authenticator

SMS-Based OTP

Send one-time codes via SMS (requires SMS gateway configuration).

Email-Based OTP

Send one-time codes via email (requires SMTP configuration).

WebAuthn/FIDO2

Hardware security keys and platform authenticators.

Supported Devices:

YubiKey
Google Titan Security Key
Windows Hello
Touch ID / Face ID

Enabling MFA for a Realm

Basic Setup

Navigate to your realm in Skycloak
Go to Authentication → Required Actions
Enable desired MFA methods:
- Configure OTP for TOTP
- WebAuthn Register for security keys
- Update Password (if forcing password reset)

Authentication Flow Configuration

Go to Authentication → Flows
Select Browser flow
Add execution:
- Click Add execution
- Select OTP Form or WebAuthn Authenticator
- Set to Required or Alternative

TOTP Configuration

Enabling TOTP

In Authentication → Required Actions
Enable Configure OTP
Set as Default Action if needed

TOTP Policy Settings

Navigate to Authentication → OTP Policy:

OTP Type: Time-based (totp)
OTP Hash Algorithm: SHA256
Number of Digits: 6
Look Ahead Window: 1
OTP Token Period: 30

User Enrollment Flow

User logs in with username/password
Prompted to set up MFA
Scan QR code with authenticator app
Enter verification code
Save recovery codes

WebAuthn/FIDO2 Setup

Enabling WebAuthn

Go to Authentication → Required Actions
Enable WebAuthn Register
Configure WebAuthn Policy

WebAuthn Policy

Navigate to Authentication → WebAuthn Policy:

Relying Party Entity Name: Your Company
Signature Algorithms: ES256, RS256
Relying Party ID: yourdomain.com
Attestation Conveyance Preference: none
Authenticator Attachment: platform, cross-platform
Require Resident Key: No
User Verification Requirement: preferred

Passwordless Setup

For passwordless authentication:

Create new authentication flow
Add WebAuthn Passwordless Authenticator
Set as alternative to username/password

SMS OTP Configuration

Prerequisites

Configure SMS gateway provider
Set up SMS authenticator SPI

Setup Steps

Install SMS authenticator extension

Configure provider settings:

Provider: Twilio/AWS SNS/Custom
API Key: your-api-key
API Secret: your-api-secret
From Number: +1234567890

Enable in authentication flow

Conditional MFA

Risk-Based MFA

Require MFA based on conditions:

// Require MFA for admin roles
function authenticate(context) {
    var user = context.user;
    var roles = user.getRealmRoleMappings();
    
    for (var i = 0; i < roles.size(); i++) {
        if (roles.get(i).getName() === "admin") {
            context.challenge("otp");
            return;
        }
    }
    context.success();
}

IP-Based MFA

Require MFA from untrusted networks:

// Require MFA outside corporate network
function authenticate(context) {
    var clientIP = context.httpRequest.getRemoteAddress();
    var trustedNetwork = "192.168.1.0/24";
    
    if (!isInNetwork(clientIP, trustedNetwork)) {
        context.challenge("otp");
        return;
    }
    context.success();
}

Recovery Options

Backup Codes

Generate during MFA enrollment
Store securely
Single-use only
Regenerate when depleted

Admin Override

Administrators can:

Reset user MFA
Temporarily disable MFA
Force re-enrollment

User Management

Enforcing MFA

For All Users

Set MFA execution as Required in browser flow
Add to default required actions

For Specific Groups

Create custom authentication flow
Use conditional authenticator
Check group membership

For Specific Roles

// Conditional MFA for roles
if (user.hasRole("sensitive-data-access")) {
    context.challenge("otp");
}

MFA Status Monitoring

View user MFA status:

Go to Users → Select user
Check Credentials tab
View configured MFA methods

Testing MFA

Test Scenarios

New User Enrollment
- Register new account
- Complete MFA setup
- Verify login with MFA
Existing User Migration
- Enable MFA requirement
- Test forced enrollment
- Verify graceful upgrade
Recovery Flow
- Test with backup codes
- Admin reset scenario
- Re-enrollment process

Best Practices

Gradual Rollout
- Start with pilot group
- Monitor adoption
- Address issues before full deployment
User Communication
- Provide clear instructions
- Offer multiple MFA options
- Support documentation
Security Considerations
- Enforce strong MFA methods
- Regular security reviews
- Monitor suspicious patterns
Backup Methods
- Always provide recovery options
- Multiple MFA methods
- Admin override procedures

Troubleshooting

Common Issues

TOTP Time Sync Issues

Problem: Invalid code errors Solution:

Check device time settings
Increase look-ahead window
Sync time on user device

WebAuthn Not Working

Problem: Browser doesn’t prompt for security key Solution:

Check HTTPS requirement
Verify browser compatibility
Check Relying Party ID

SMS Delivery Failures

Problem: Users not receiving SMS codes Solution:

Verify SMS gateway configuration
Check carrier filtering
Review delivery logs

Compliance Considerations

Regulatory Requirements

PCI DSS: MFA for admin access
HIPAA: MFA for PHI access
SOC 2: MFA for production systems
GDPR: Strong authentication for personal data

Audit and Reporting

Monitor MFA usage:

Enrollment rates
Authentication success/failure
Method preferences
Recovery usage

Next Steps

SIEM Integration Guide PKCE Authentication Setup