How to enable Two-factor authentication in Keycloak

In this article, we will explain how to enable Two Phase Authentication (2FA) with Keycloak. We will learn how to include the 2FA in the standard authentication flow and how to enforce it for a single user.

Two-factor authentication (2FA) is an additional layer of security that requires users to provide an additional form of authentication beyond their password when logging in. This can help protect against unauthorized access to accounts, even if an attacker has obtained a user’s password. Keycloak, an open-source identity and access management solution, offers support for 2FA through various authentication flows and mechanisms.

By default, Two-factor authentication is not enabled in the standard browser authentication flow of Keycloak. Let’s see how we can add it as part of a sample application


Next, we will move to the Two-factor authentication configuration

Enabling Two-factor authentication

Log in into the Admin Console and select “Authentication” in your Realm. This is the area where you can configure and manage different credential types.

Select the “Browser flow“:

Enabling Two-factor authentication keycloak

This is a flow that is initiated when a user attempts to access a protected resource using a web browser. This flow typically involves redirecting the user to a login page, where they can enter their credentials. If the user’s credentials are valid, they will be granted access to the protected resource.

Here is an overview of the Browser flow:

keycloak otp browser flow

Within this flow, the Conditional OTP Form follows the standard username/password form. However, it is not a Required step by default. Make it Required by selecting the “Browser Conditional OTP” Combo:

keycloak conditional otp

Testing the 2FA mechanism

Firstly, you need to install an Application that is able to provide an OTP token. For example, you could install Google Authenticator or Free OTP on your Mobile.

Next, login in to the application using the credentials of the “wildfly-realm” which are customer-admin/admin.

After successful authentication, the OTP Token Form will display:

keycloak mobile authentication otp

Next, scan the bar code with your Mobile OTP App.

Finally, collect the OTP Token for “wildfy-realm” in your App:

otp code keycloak

Enter the One-time code to complete the authentication.

Configuring the OTP Policy

To configure the OTP Policy for your Realm, follow these steps:

  1. Navigate to the Keycloak administration console and log in as an administrative user.
  2. In the left-hand menu, click on “Authentication” and then select the “OTP Policy” from the “Policies” tab.
configure otp keycloak

From there, you will be able to choose the OTP type (default is Time based), the Duration, the Supported applications and so on.

Enforcing Two-factor authentication for users

Finally, it is possible to enforce 2FA at user level in Keycloak. To do that, you can set the “Configure OTP” required action for the user. To do this, follow these steps:

  1. Firstly, navigate to the Keycloak administration console and log in as an administrative user.
  2. Next, in the left-hand menu, click on “Users” and then select the user you want to enforce 2FA for.
  3. Then, click on the “Actions” tab in the user’s profile page.
  4. Then, click on the “Add Required Action” button and select the “Configure OTP” option from the list.
  5. Finally, click on the “Save” button to save the changes.
Two-factor authentication (2FA)


Two-factor authentication (2FA) is an important security measure that adds an extra layer of protection to user accounts. Keycloak is an open-source software product that allows you to easily implement 2FA for your applications and services.