Skip to content

Passwords & MFA

Rules new and changed passwords must satisfy.

  • Recommended: at least length(12) plus notUsername and notEmail; add a breach check (Not recently used, and a HaveIBeenPwned-style rule where available).
  • Ask the assistant: “Require a minimum password length of 12 and block the username for acme-prod.”
  • Keycloak: Authentication → Policies → Password policy.

Time-based OTP from an authenticator app (Google Authenticator, 1Password, etc.).

  • Recommended: required for admin/privileged pools; optional-but-encouraged for consumer.
  • Ask the assistant: “Require OTP for acme-prod.”
  • Keycloak: Authentication → Required actions → Configure OTP, and the OTP policy under Authentication → Policies → OTP policy.

Phishing-resistant passwordless sign-in with Touch ID / Face ID / Windows Hello / a security key.

  • Ask the assistant: “Enable passkey sign-in for acme-prod.” It stages a dry-run and, on your confirmation, sets the WebAuthn passwordless policy (resident-key, user-verification required), enables the passkey-registration action for all users, and binds a passkey-capable browser flow — so users can sign in with a passkey alongside their password.
  • First login after enabling: users are prompted to enrol a passkey. Once enrolled, they can choose “Sign in with a passkey.”
  • Why: phishing-resistant MFA for SOC 2 and fewer password-reset tickets. See the Keycloak WebAuthn docs.

Require stronger authentication only for sensitive actions (e.g. changing payment details), rather than for every login.

  • Keycloak: conditional authenticators in a custom Authentication flow keyed to an ACR level of assurance.
  • See Advanced Security for adaptive/step-up patterns.