You can implement a custom Authenticator and add it to your login flow. There has been discussion about this elsewhere (java - How to implement Recaptcha on keycloak login page - Stack Overflow) and I believe there are some implementations on GitHub.