Passwords & MFA
Password policy
Section titled “Password policy”Rules new and changed passwords must satisfy.
- Recommended: at least
length(12)plusnotUsernameandnotEmail; add a breach check (Not recently used, and a HaveIBeenPwned-style rule where available). - Ask the assistant: “Require a minimum password length of 12 and block the username for acme-prod.”
- Keycloak: Authentication → Policies → Password policy.
One-time passcodes (TOTP)
Section titled “One-time passcodes (TOTP)”Time-based OTP from an authenticator app (Google Authenticator, 1Password, etc.).
- Recommended: required for admin/privileged pools; optional-but-encouraged for consumer.
- Ask the assistant: “Require OTP for acme-prod.”
- Keycloak: Authentication → Required actions → Configure OTP, and the OTP policy under Authentication → Policies → OTP policy.
WebAuthn passkeys
Section titled “WebAuthn passkeys”Phishing-resistant passwordless sign-in with Touch ID / Face ID / Windows Hello / a security key.
- Ask the assistant: “Enable passkey sign-in for acme-prod.” It stages a dry-run and, on your confirmation, sets the WebAuthn passwordless policy (resident-key, user-verification required), enables the passkey-registration action for all users, and binds a passkey-capable browser flow — so users can sign in with a passkey alongside their password.
- First login after enabling: users are prompted to enrol a passkey. Once enrolled, they can choose “Sign in with a passkey.”
- Why: phishing-resistant MFA for SOC 2 and fewer password-reset tickets. See the Keycloak WebAuthn docs.
Step-up authentication
Section titled “Step-up authentication”Require stronger authentication only for sensitive actions (e.g. changing payment details), rather than for every login.
- Keycloak: conditional authenticators in a custom Authentication flow keyed to an ACR level of assurance.
- See Advanced Security for adaptive/step-up patterns.