We have a requirement for multi-factor authentication (MFA) using Keycloak, specifically to implement both TOTP and Email OTP.
We are currently using Keycloak version 26.1.3, but we could not find any built-in option to configure Email OTP.
Could you confirm whether Keycloak has native support for Email OTP in this version?
If not, would building a custom SPI be the recommended approach to achieve this functionality?
Additionally, we want to present TOTP and Email OTP on a single page during login, allowing users to choose their preferred authentication method.
To meet this requirement, would we need to create another custom SPI to support the dual authentication selection flow?
Additionally, we want to present TOTP and Email OTP on a single page during login, allowing users to choose their preferred authentication method.
To meet this requirement, would we need to create another custom SPI to support the dual authentication selection flow?
Use 2 “Alternative” authenticators, and then the user can select “Try another way”.
Keycloak supports TOTP, but for Email OTP you will need to go over the SPI development documentation (here) of Keycloak. In short, you need to create a custom EmailOTPAuthenticator which extends the Keycloak Authenticator (both implementation and factory).
There are existing third-party email otp repositories on github. Depending on your use case you may check them out and see how they work.