Is it possible to enforce 2FA for some users?

Hi,

I’m considering using keycloak to authentify users on a SaaS solution. I would like to know if it is possible to enforce the usage of 2FA for some users?

Some of our organization will need to enforce 2FA for all their users, and some won’t.

Thanks

It’s possible to enforce an authentication flow conditionally based on a role.
So, if your users, which you want to force to use a 2FA method, have a role which others don’t have, then it’s possible.

Thanks for your reply, I’ll see if we can do that.

If you need a condition base on user attributes, you’ll have to implement a ConditionalAuthenticator on your own and deploy it as a custom provider to your Keycloak instance(s).

Hi, it seems the conditional authentication could work fine (based on role or request attribute - useful for location-based rules for instance), or even a custom implementation, as per @dasniko - but I had the impression that for some systems you may require OTP, and others you won’t.

Some of our organization will need to enforce 2FA for all their users, and some won’t.

It would be a strange SSO experience if that’s case, but can you confirm? You may also think about managing separate realms (one forcing OTP, another skipping it), which could be the case depending on your requirement.

With another IdP we had such a setup. When an SP, that required 2FA but the user did only authenticate with 1FA till now, then the user would be request for the 2nd factor and only then the user would get access to the new SP.