Currently, Keycloak is limited to using Google Authenticator or FreeOTP as a two factor mechanism. There is some support for using a custom authenticator to implement alternative methods, but that lacks on UI aspects.
We should provide a number of enhancement to two factor authentication including:
- Ability to only ask for two factor mechanism every N days (trust machine option) (KEYCLOAK-242)
- Alternative/backup two factor mechanism to recover access and/or if user wants to regularly use alternative mechanisms (
- Ability for admins to register two factor mechanisms for user (i.e. hardware tokens)
- Additional types built-in (i.e. SMS, email, printed backup codes, hardware tokens, Fido) (
- Ability for user to manage multiple mechanisms through account management console (
- Configure OTP policy on authenticator and not on realm (