Adding passkey MFA to your Keycloak login flow
Learn how to add passkey MFA to your Keycloak login flow with Authsignal.
Overview
In the previous guide, we demonstrated how to add an MFA step to your Keycloak login flow using Authsignal.
In this guide, we will add passkey MFA to your Keycloak login flow using Authsignal’s pre-built UI.
Configuration
Set up passkeys on your tenant
Firstly, follow the steps in Authsignal’s pre-built UI + passkeys configuration guide.
You should now have:
- Set up a custom domain
- Enabled a Passkey Authenticator on your tenant in the Authsignal Portal
- Chosen a Relying Party ID and Expected origins
Enable passkey uplift flow
Head to the Actions section in the Authsignal Portal.
If you have already tested your existing Authsignal + Keycloak integration, you should see an action called Sign in.
Click the Sign in action and follow our guide on enabling the passkey upgrade flow.
Testing the flow
The next time users log in and complete an MFA challenge, they will then be prompted to add a passkey.
Once users have added a passkey, they will be prompted to use passkeys for MFA by default.
Passkey upgrade flow demo
Authsignal's pre-built UI passkey upgrade step.
Passkey being used for MFA demo
Using a passkey as a secondary factor via Authsignal pre-built UI.
Next steps
In the next guide, we will demonstrate how to set up passkey autofill. This will allow users to use their passkeys by clicking on the username or password input fields.