[keycloak-user] Adding 2FA with SMS

Lukasz Lech l.lech at ringler.ch
Mon Jun 17 02:42:49 EDT 2019


Hello,

What would it actually mean to swap LoginFormsProvider? 

Would it be enough to drop own extension to standalone/deployments (+ some change in standalone-ha.xml)? 

Best regards,
Lukasz Lech


-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Lukasz Dywicki
Sent: Samstag, 15. Juni 2019 08:32
To: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Adding 2FA with SMS

Introduction of extra steps for login/registration is entirely possible. However, there is a need to swap (extend) LoginFormsProvider, add new FormAction and Authenticator as well, and yes - template too.
There is close relation between these parts when it comes to processing login and registration flows.
You don’t need to modify directly any Keycloak code, it is sufficient to extend existing classes. You can use User attributes to store additional data about mobile number. It is mechanism made for that.
Extension you linked is nice example of additional credential type which is a proper way from design point of view, but absolutely not necessary to start having sms code verifier. In the end such verifier is a simple bearer to fail authentication.

Cheers,
Łukasz Dywicki
--
Code-House
http://code-house.org

> On 14 Jun 2019, at 12:07, Lukasz Lech <l.lech at ringler.ch> wrote:
> 
> Hello,
> 
> I'm analysing the requirement for adding 2FA with SMS to keycloak.
> 
> There is a ready project https://github.com/UKGovernmentBEIS/keycloak-sms-authenticator-sns and to activate this, you need to modify authentication browser flow.
> This look quite cheaply made. First, SMS is always sent, but validated only if you set SMS validation to REQUIRED, second, you give your mobile number, and if it is wrong, you must call support to change that for you.
> 
> The correct way would be to make it analog to TOTP. A separate screen when you give your mobile number, and then give the validation code, and only then your mobile phone will be saved.
> 
> Could you please give me a hint, if adding second 2FA this way could be made via plug-in, so, by writing provider(s), changing themes and editing flows in administration, or it would require some changes to keycloak core code?
> 
> Were there any attemtps for writing alternative 2FA plugins working similar way as TOTP is working now?
> 
> Best regards,
> Lukasz Lech
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user



More information about the keycloak-user mailing list