MFA (OTP) depending on user / group / role?

Hi all,

we do have 1 client (application) defined in 1 realm. The customer want’s to enforce MFA (OTP) for dedicated users only. Is there a way do do this? Maybe for groups or roles?

Any hints are appreciated.


You don’t even need custom code for this. There are conditionals in the authentication flow configuration, depending on roles. So this can be done ootb since version 8 or 9 …!

1 Like

Many thanks @jangaraj and @dasniko . In between I did find this …

The “Conditional OTP Authenticator” is now part of Keycloak itself and works.

But I have one issue with that …

  1. When I’m going to assign a user the role “require_otp_role” directly the Conditional OTP works.
  2. When I’m going to add a user to a group that has the role “require_otp_role” assigned the OTP doesn’t work.

We’re using Keycloak 7.0.0. Should I open a ticket for this?


I’ve created a ticket for. See