The login looks normal. Then, mid-session, the system demands another proof of identity. This is Keycloak step-up authentication in action—security that adapts to context and risk.
Step-up authentication adds an extra layer of verification only when needed. In Keycloak, it prevents overexposure of sensitive actions while keeping routine logins frictionless. A user signs in, but when they try to access high-value resources, they must pass a second check.
Keycloak supports step-up through Authentication Flows. You define conditions that trigger stronger authentication—like requiring OTP, WebAuthn, or client certificate validation. This can be tied to roles, scopes, or event parameters. The flexibility comes from Keycloak’s flow editor, where you chain authenticators and adjust execution settings.
A common pattern:
- Base login with username and password.
- On access to a protected realm or endpoint, invoke an additional execution that enforces 2FA.
- Pass if verified, fail if incorrect or expired.
You can combine step-up triggers with dynamic policies. IP ranges, token claims, or request paths can influence when the extra step occurs. The result is tighter control without degrading user experience across the board.
Implementation steps in Keycloak:
- Create a new Authentication Flow for step-up.
- Add the desired authenticator (OTP Form, WebAuthn, Kerberos, etc.).
- Mark it as conditional and bind it to a required action or client scope.
- Update client configuration to point sensitive requests to the step-up flow.
Step-up authentication in Keycloak minimizes attack surface. It supports zero trust principles by requiring proof at decisive moments. Well-designed flows protect critical APIs and admin endpoints while maintaining speed where security risk is low.
If you want to see step-up authentication paired with modern developer tooling, try it on hoop.dev. Deploy in minutes, watch it work live, and lock down your most sensitive operations without friction.