Re: RFC: Keycloak project presentation
|
Stian Thorgersen <sthorger@...>
Keycloak does indeed have built-in support for MFA, but it is currently limited to one-time passwords (HOTP or TOTP). It is possible to extend Keycloak to add additional custom MFA mechanisms and we have community users that use SMS, hardware tokens, etc. with Keycloak. That being said we are aware of limitations here which will be addressed in the near future. The limitations are mainly lack of additional built-in types (SMS, email, backup, etc.) as well as support for users to have choice between multiple mechanisms. Until recently we have not actually seen much demand to go beyond one-time password support, but with WebAuthn becoming an official web standard there is now a lot of demand for it. It is a high priority to the Keycloak team to deliver improvements in this area as well as WebAuthn support and we are aiming to have this available in the next few months. We also have several community contributors working on this together with us, one group is working on a WebAuthn library for Java (https://github.com/webauthn4j/webauthn4j) and corresponding authenticator for Keycloak (https://github.com/webauthn4j/keycloak-webauthn-authenticator - this will be added directly to Keycloak in the future), another group is working on addition to authentication flows to allow for choices of MFA mechanisms. In summary our plans are: * Add support for admins to be able to manage what MFA mechanisms should be available * Add support for users to configure multiple mechanisms through account console and selecting a default. During login users will be prompted for the default, but have choice to use an alternative * Add support for WebAuthn to be used as a 2FA mechanisms in addition to password, and also a primary authentication mechanism for passwordless experience More details can be found in our design brief for WebAuthn here https://github.com/keycloak/keycloak-community/blob/master/design/web-authn-two-factor.md. The brief on application initiated actions is also relevant (https://github.com/keycloak/keycloak-community/blob/master/design/application-initiated-actions.md). There will be two more related design briefs coming soon, one on passwordless experience for WebAuthn and another on extensions we are making to authentication flows (a contributor from the community is currently working on a proposal for this). I hope this clears your concerns around MFA, if not I'm happy to discuss it further. On Tue, 9 Apr 2019 at 19:56, Christopher LILJENSTOLPE <cdl@...> wrote:
|
|
|