NIS-2: Implement MFA quickly and easily with Keycloak

NIS-2 gets serious with MFA

– At least major players already offer this method as standard for their logins.

Multi-factor authentication (MFA) is nothing new, but the multi-step login method was only intended for privileged accounts until a few years ago. With the requirements of the new cyber security guidelines in NIS-2, multi-factor authentication has suddenly become state of the art. And for all types of users. In addition, the legislator recommends the use of continuous authentication, which only a few major players, such as Google, have implemented to date.

Keycloak supports MFA out-of-the-box

But let’s stay with multi-factor authentication methods first. Multi-factor authentication can be implemented app-controlled in various ways:

Mobile token, also known as push notification or pushTAN
Anyone who has a Google account or uses online banking is certainly familiar with this method. You receive a push notification on your cell phone and approve this request using a PIN code or a biometric procedure. Keycloak can act as an MFA enabler here in conjunction with third-party providers such as the Microsoft Authenticator app. However, the danger here can be MFA spamming, which you can read about in more detail on intension’s IAM blog:
https://www.intension.de/infoblog/was-ist-mfa-fatigue/

One Time Password (OTP)
With one-time password generators (OTP), such as FreeOTP or Google Authenticator, Keycloak can be configured as a reliable MFA tool in no time at all. You can find out more here: One Time Password (OTP) policies

SMS or e-mail
This is a less secure method of requesting the second factor. The German Federal Office for Information Security (BSI) advises against this method of confirmation. You can read more about this on the RWTH Aachen University blog or from the BSI itself.

Passkeys
Passkeys are a new, more secure and user-friendly method of authentication. These make passwords superfluous. Users no longer have to remember a complex password. This is because passwords are susceptible to phishing and other attacks. Passkeys, on the other hand, use cryptographic keys that they store securely on the user’s device. These keys are unique and bound to the device, which makes them extremely secure. Login to other devices is supported via QR codes.
You can find out more about passkeys from the German Federal Office for Information Security.

Historically, analog TAN lists were one of the very first MFA methods. Most users no longer use this option. They are cumbersome to send by post and only offer limited security.

Secure MFA procedures with hardware tokens

Hardware tokens offer a very good level of security for MFA. These include USB keys or smartcards, such as the ProID smartcard from the Czech company Monet+. Smartcards are widely used, including debit cards and health insurance cards.

Various MFA technologies for internal or external users

Which method and which end devices or tools should be used to implement MFA depends entirely on the use case. Is the MFA technology to be implemented for employees or is this secure authentication method also needed for external users, such as partners, suppliers, temporary workers, customers, members, citizens or patients?

It is advisable to analyze in advance which systems and identities the company wants to protect with MFA technology. If there is a hybrid landscape of applications for internal and external purposes, it makes sense to connect Keycloak to directory services such as Active Directory (AD) and LDAP with the help of user federation. At the same time, it is easy to connect http-based applications via Keycloak as a “broker” if these web applications are connected to the Identity Broker via OIDC or SAML.

Keycloak and AD are not mutually exclusive

Initially, it is important to define which system is responsible for the identities. Keycloak can act as the central user administration, but it does not have to. An Active Directory (AD) can therefore continue to be the central identity store. Keycloak is then connected to AD via User Federation in order to centrally manage the authentication of all identities via its single sign-on function.

Conclusion: The use of Keycloak in multi-factor authentication makes it possible to continue using existing services such as Active Directory or Entra ID. With an appropriate app- or hardware-based technology, Keycloak is a valuable tool for implementing MFA in accordance with the NIS-2 directive.

That was: NIS-2: Implementing multi-factor authentication with Keycloak