Configuring multifactor authentication

For both IBM Z® Anomaly Analytics and IBM Z Operational Log and Data Analytics, Keycloak provides support for multifactor authentication through various methods. Configure multifactor authentication by using the Keycloak Admin Console.

About this task

You can configure multifactor authentication in the following ways:
  • Configure two-factor authentication to use an authenticator application, such as FreeOTP, Google Authenticator, or Microsoft Authenticator.
    With this method, the following sequence indicates the authentication flow:
    1. User name and password
    2. One-time password from the authenticator application
  • Configure two-factor authentication to use a one-time password (OTP) that is sent through email or text message.
    With this method, the following sequence indicates the authentication flow:
    1. User name and password
    2. One-time password from email or text message
  • Configure multifactor authentication to use both an authenticator application and a one-time password that is sent through email or text message.
    With this method, the following sequence indicates the authentication flow:
    1. User name and password
    2. One-time password from email or text message
    3. One-time password from the authenticator application
Important:
  • For both IBM Z Anomaly Analytics and IBM Z Operational Log and Data Analytics, one-time password authentication is disabled by default. Therefore, to use one-time password authentication, you must configure it as described in this procedure.
  • For any authentication flow that involves sending passwords through email or text message, the user profile for each user ID must include a valid email address (where email address can be cell_phone_number@email-to-sms_gateway. If a user ID does not have a valid email address, it cannot log in successfully because it does not have a way to receive the one-time password.

Procedure

Use one or more of the following methods to configure multifactor authentication.
Two-factor authentication that uses an authenticator application
To use this method, complete the following configuration steps:
  1. In your realm, in the Configure section, click Authentication. From the resulting Authentication page, you can configure and manage different credential types.
  2. From the Flows tab, in the Flow name column, click browser.
  3. In the Flow details page for the browser, for value of the Browser - Conditional OTP field, select Required.
  4. To update the OTP policy, return to the Authentication page, click the Policies tab and the OTP Policy tab.
    Restriction: Only FreeOTP supports customization of the fields on the OTP Policy tab. If you plan to use Google Authenticator or Microsoft Authenticator, all values on this form must remain unchanged from the installation defaults.
Two-factor authentication that uses a one-time password that is sent through email or text message
To use this method, complete the following configuration steps:
  1. In your realm, in the Configure section, click Realm Settings.
  2. In the resulting page, click the Email tab, and provide your email server information.
  3. In your realm, in the Configure section, click Authentication. From the resulting Authentication page, you can configure and manage different credential types.
  4. From the Flows tab, in the Flow name column, click ZOA Browser Email 2FA.
  5. From the Action list, which is in the upper-right corner of the Flow details page, select Bind flow.
  6. In the resulting window, for the Choose binding type field, select Browser flow, and click Save.
Multifactor authentication that uses both an authenticator application and a one-time password that is sent through email or text message
To use this method, complete the following configuration steps:
  1. First, enable ZOA Browser Email 2FA as the authentication flow for the browser flow type, as outlined in the preceding information under Two-factor authentication that uses a one-time password that is sent through email or text message.
  2. In your realm, in the Configure section, click Authentication.
  3. From the Flows tab, in the Flow name column, click ZOA Browser Email 2FA.
  4. In the resulting window, click Add step, and search for OTP Form.
  5. Click OTP Form, and click Add.
  6. For the OTP Form step, select Required.