Using Token2 FIDO2 Security Keys for Keycloak

Keycloak is an open-source software solution designed to provide single-sign-on access to applications and services. It allows users to authenticate once and access multiple applications without needing to re-enter their credentials. The project was started in 2014. It has since grown into a well-established open-source project with a strong community behind it. It is used for small projects and large enterprises.
Keycloak supports Webauthn based authentication and allows you to use FIDO2 security keys. In this guide, we will show the procedures required to configure Token2 security keys  for Passwordless.

Requirements:

• Access to the Keycloak Admin UI with HTTPS access (a valid, trusted certificate is needed)
• A Token2 FIDO security key.
• Admin access to enable security keys (not required if security keys are already enabled)
• Modern browsers support security keys.

Step 1: Configure the realm

1) Log in to the Keycloak Administarion console and click on 'Create Realm'.




2) Give the name tutorial_webauthn and click on the save button.
3) Then go to Authentication > Required Actions > Webauthn Register Passwordless. Turn on the 'Set as default action' option.




4) Go to Realm Settings > Login. Turn on the 'User registration' option to be able to register new users.




Step 2: Configure authentication

1) Go to Configure > Authentication > Flows. Enter the built-in flow with the name 'browser'. Select 'Duplicate' from the Action drop-down box.




2) Give a name to the new flow and click 'Duplicate'.




3) Delete existing sub-flows, leaving Cookie, Kerberos, and Identity Provider Redirector.




4) Create a new sub-flow with two steps, one by one : Username Form and WebAuthn Passworless Authenticator.




5) Bind the newly created flow as the default for the browser flow. Select 'Bind flow' from the Action drop-down box.




Step 3: Configure the client and user

In this guide, we will use the Keycloak app (https://www.keycloak.org/app/) as an authentication client for testing functionality.
1) Go to Clients > Create Client. Give a client ID and name, like below. Then click 'Next'.




2) Click 'Next' again. Give the root url value as https://www.keycloak.org/app/ and click 'Save'.




3) Then go to the client app root page and enter the Keycloak URL, Realm name, and client ID. Click 'Save'.




4) Then click 'Sign in' and you will be redirected to the provided Realm login page.




5) Click on the registration link. Fill in the new user details and click 'Register'. Then you will be redirected to the security key registration page.




6) Click 'Register'. Keycloak will start to identify the inserted security key. Enter the PIN on the security key to continue.




7) Press the button on the security key to complete registration.
Note: Security keys differ in the exact instructions to activate them. Your key may require a tap or button press to activate registration.

Step 4. Connect using Passwordless

Passwordless is now enabled for the user. To login, you must enter your username, and then you will be prompted to sign in with a security key.




Enter the PIN and then touch the button on a security key for a successful login.