This blog post is a summary of my project at the European Organization for Nuclear Research (CERN) where I worked in their Identity and Access Management (IAM) team.
My project was to introduce Two-Factor Authentication (2FA) in the Keycloak system. CERN started migration to the Keycloak Identity Provider (IdP) as part of the MALT project which aimed to move away from Microsoft products. The project was cancelled in late 2021, however, some services were allowed to continue development. The IAM team was allowed to continue development for the CERN SSO, which was based on Keycloak.
We developed a custom 2FA implementation with Keycloak which allowed users to optionally login from the SSO login page. Internally, this setup posed a few …