Authsignal secures millions of passkey transactions out of our hosted Sydney region.

Authsignal secures millions of passkey transactions out of our hosted Sydney region.

Join us today!
Blog
/
Current article

Add MFA to Keycloak using Authsignal: A Step-by-Step Guide

Last Updated:
March 3, 2025
Steven Clouston
How to add MFA with Keycloak using Authsignal: A Step-by-Step Guide
AWS Partner
Authsignal is an AWS-certified partner and has passed the Well-Architected Review Framework (WAFR) for its Cognito integration.
AWS Marketplace

Configuring advanced authentication flows in KeyCloak can be very challenging. The Authsignal provider integration enables you to drop authentication challenges (including passkeys and WhatsApp OTP)  in your sign in flows. Our hosted UX and UI enable rapid deployments, while our full mobile SDK support enables you to build custom mobile experiences.

Let's dive into how to integrate Multi-factor authentication (MFA) with Keycloak using the Authsignal Keycloak provider and the Authsignal Java SDK.

For a visual walkthrough of this integration process, you can watch our step-by-step video guide:

Prerequisites

Before we begin, ensure you have:

1. A running Keycloak server

2. An Authsignal account

3. Basic familiarity with Keycloak administration

Step 1: Download and Install Required Components

First, you'll need to download two essential components:

- The Authsignal Keycloak provider

- The Authsignal Java SDK

Add both components to your Keycloak server's Providers folder. These pre-built tools are designed to work seamlessly with your existing Keycloak setup, though the provider is open-source if you need to make customizations.

Step 2: Configure Authentication Flow

Once the components are installed, follow these steps in your Keycloak admin portal:

1. Create or select your desired realm

2. Navigate to the Authentication section

3. Duplicate the Browser flow

4. Remove the conditional OTP from the flow

5. Add the Authsignal Authenticator provider as a new required step

Step 3: Configure Authsignal Provider

In the provider configuration:

1. Enter your Authsignal tenant secret key

2. Add your Authsignal API URL

3. Enable "Enroll by Default" if you want users to be automatically enrolled in MFA

4. Bind the flow to the Browser flow

Step 4: Set Up Authenticators

In your Authsignal dashboard, configure the authentication methods you want to offer to your users. In this example we are going to use Authenticator app.

Testing the Integration

Once configured, the MFA flow works as follows:

1. Users log in with their username and password

2. First-time users are prompted to enroll in MFA

3. Subsequent logins will require MFA verification

4. Upon successful verification, users gain access to their account

Conclusion

Integrating Authsignal MFA with Keycloak provides a robust security solution while maintaining a smooth user experience. The pre-built components and straightforward configuration process make it accessible for teams of all sizes to implement strong authentication measures.

For more detailed information and advanced configuration options, refer to the Authsignal documentation.

Try out our passkey demo
Passkey Demo
Have a question?
Talk to an expert
Related Resources
No items found.
NewsletterDemo PasskeysView docs
Keycloak
Multi-factor authentication
Integration
Managing Authenticators
You might also like
Embedding Passkeys into Your App Workflows: Why Authsignal's Approach Stands Out
April 11, 2025
Discover how to embed passkeys into your app workflows. Learn why Authsignal’s non-IdP approach enables seamless, risk-based authentication without the need for identity system overhauls—saving time and reducing friction.
Phishing resistant
Implementation
Passkeys
Twilio Verify vs Authsignal: The Twilio Alternative That Does More With Less Dev Effort
April 7, 2025
Looking for a Twilio Verify alternative? Discover how Authsignal provides a complete step-up authentication solution with passkeys, adaptive MFA, and powerful no-code policy tools—all with minimal engineering effort.
Twilio Verify
Comparison
How to Add Passkeys to Duende IdentityServer with Authsignal
April 3, 2025
Learn how to enhance your Duende IdentityServer setup with passkey authentication using Authsignal. Follow this step-by-step guide to enable secure, passwordless logins with biometric verification.
Duende IdentityServer
Passkeys
Passkeys implementation
Passwordless authentication

Secure your customers’ accounts today with Authsignal.

Passkey demoCreate free account

Authsignal is multi-factor authentication (passwordless authentication) as a service. Focused on powering mid-market and enterprise businesses to rapidly deploy optimized good customer flows that enable a flexible and risk-based approach to authentication.

AICPA SOC
LinkedInTwitter
Passwordless / Multi-factor Authentication (MFA)
Pre-built UI (Low code)UI Components (Customizable)Custom UI (Flexible)
Why Authsignal?
Drop-in Authentication
PasskeysBiometric AuthenticationWhatsApp OTPSMS OTPEmail OTPMagic LinksAuthenticator Apps (TOTP)Push NotificationsPalm Biometrics
Rules and Policies Engine
User Observability
Industries
Financial Services
Marketplace
e-Commerce
FinTech
Crypto
View all Industries
Use Cases
Account Takeovers (ATO)
Go Passwordless
SMS Cost Optimization
Compliance
Existing Apps
View all Use Cases
Identity Providers (IDPs)
AWS Cognito
Auth0
Azure AD B2C
Duende IdentityServer
Keycloak
NextAuth.js
Integrations
C#
Java
Node.js
Open ID Connect (OIDC)
PHP
Python
React
Ruby
Ruby on Rails
Supabase
Compare
Twilio Verify vs AuthsignalAuth0 vs AuthsignalAWS Cognito vs Authsignal + AWS Cognito
Resources
BlogDeveloper DocsKnowledge BaseFree Figma Mobile Passkeys TemplateFree Figma Desktop Passkeys TemplateFree Figma WebApp Passkeys TemplatePress ReleasesAboutContact
What is
Passwordless Authentication
What is MFA (Multi-Factor Authentication)?
United States
+1 214 974-4877
Ireland
+353 12 676529
Australia
+61 387 715 810
New Zealand
+64 275 491 983
© 2024 Authsignal - All Rights Reserved
Terms of servicePrivacy policySecuritySystem statusCookies