Implementing "Remember Me" for 2FA in Keycloak with Direct Access and Custom SPI

yemreavci · August 6, 2024, 11:19am

We are using a custom login page and using direct access to log into our system. We are generating QR codes with a custom SPI on Keycloak for direct access. What we haven’t achieved yet is how to support the “remember me” functionality specifically for 2FA. After the user logs in with username, password, and OTP, we want them to be able to skip OTP for the next 2 days on same browser. How can we achieve this functionality?

A similar question was asked on the Keycloak forum ( "Remeber me" -> Remember only 2FA ), but it hasn’t been answered yet. Is there any solution available in Keycloak?

dasniko · August 6, 2024, 3:58pm

There’s no solution ootb, because this makes no sense in terms of security.
By forcing users to use OTP, you want to increase security level. By allowing to skip it, you are decreasing the security level again.

Yes, “others” are doing it. But that doesn’t mean that it’s the proper way. Understanding security is hard…

You would have to implement anything custom to achieve such a behavior with Keycloak. Good luck.

Topic		Replies	Views
"Remeber me" -> Remember only 2FA Getting advice authentication	0	512	February 28, 2022
Want to create OTP based login (without 2FA) Getting advice authentication	1	685	March 3, 2022
"Remember me" --> Remember only 2FA	0	443	March 9, 2022
Perform 2FA on specific screens with keycloak Configuring the server authentication	1	423	December 13, 2022
Manage-account OTP security issue: 2FA can be disabled by the user Securing applications	6	4538	August 6, 2020

Implementing "Remember Me" for 2FA in Keycloak with Direct Access and Custom SPI

Related topics