Overview

In the previous guide, we demonstrated how to add an MFA step to your Keycloak login flow using Authsignal.

In this guide, we will add passkey MFA to your Keycloak login flow using Authsignal’s pre-built UI.

Configuration

1

Set up passkeys on your tenant

Firstly, follow the steps in Authsignal’s pre-built UI + passkeys configuration guide.

You should now have:

  1. Set up a custom domain
  2. Enabled a Passkey Authenticator on your tenant in the Authsignal Portal
  3. Chosen a Relying Party ID and Expected origins
2

Enable passkey uplift flow

Head to the Actions section in the Authsignal Portal.

If you have already tested your existing Authsignal + Keycloak integration, you should see an action called Sign in.

Click the Sign in action and follow our guide on enabling the passkey upgrade flow.

Testing the flow

The next time users log in and complete an MFA challenge, they will then be prompted to add a passkey.

Once users have added a passkey, they will be prompted to use passkeys for MFA by default.

Passkey upgrade flow demo

Authsignal's pre-built UI passkey upgrade step.

Passkey being used for MFA demo

Using a passkey as a secondary factor via Authsignal pre-built UI.

Next steps

In the next guide, we will demonstrate how to set up passkey autofill. This will allow users to use their passkeys by clicking on the username or password input fields.