Adaptive MFA & Step-Up Enforcement for Sensitive Operations

Go beyond basic MFA. Keymate enables adaptive multi-factor authentication triggered by user behavior, context, or target resource—ensuring strong protection only when it's truly needed.

Contextual Multi-Factor Authentication Based on Risk, Resource, or User Role

Why It Matters

Not all access events are created equal. Logging in from a known location to view a dashboard is very different from approving a financial transaction or accessing sensitive PII. Traditional MFA enforces a fixed authentication step—usually at login. But modern threats require context-aware enforcement that adapts to the sensitivity of the action or the risk profile of the session.

Keymate's MFA engine allows you to:

Key Components:

Enforce MFA on high-value actions (step-up auth)

Trigger MFA based on location, device, time, or risk score

Seamlessly combine login-time and in-session challenges

Use any OIDC-compliant authenticator app (e.g., Google Authenticator, Microsoft Authenticator, etc.)

Integrate MFA triggers into policy evaluation with OpenFGA or custom DSL

Adaptive MFA Flow—Login or On-Demand

User logs in with password (first factor). Risk engine evaluates session and user attributes. If low risk, allow session with SSO token. If accessing sensitive resource → trigger second factor. MFA flow (OTP, app-based push, etc.) completes. Access granted upon successful step-up.

Adaptive MFA Use Cases

Key Components:

Step-up for financial approval actions

MFA for privileged administrative operations

Location-aware challenge for travel logins

Behavior-triggered MFA (e.g., unusual access pattern)

Capability Highlights

Login-time MFA

Enforce OTP or app-based MFA at initial login

Step-Up MFA

Enforce second factor when sensitive actions are requested

Risk-Adaptive Triggers

Trigger based on IP, geo, device, or behavior

Token & Session Integration

MFA status embedded in token/session for downstream validation

OIDC-Compliant

Works with Google Authenticator, Microsoft Authenticator, etc.

Policy-Based Enforcement

Use Keymate DSL or OpenFGA to enforce when MFA is required

Frequently Asked Questions

Yes, Keymate supports any TOTP or OIDC-compatible authenticator app.

Yes, via our policy engine or OpenFGA model, step-up enforcement can be fine-tuned.

Absolutely. Keymate lets you layer login MFA and session-based step-up MFA dynamically.

Planned. Future support will include biometric-based WebAuthn or FIDO2 flows.

How to Enable This Feature

Follow these steps to enable:

Enable the MFA extensions in Keycloak via Keymate

Define risk triggers or policies for enforcing step-up

Configure OTP or push-based authenticator integrations

Enrich sessions with MFA metadata

Monitor and audit MFA decisions via EventHub & Signoz

ELEVATE YOUR IAM STRATEGY

Ready to Transform Your Keycloak Experience?

Implement fine-grained authorization, multi-tenant infrastructure, and comprehensive security policies with Keymate — built on the Keycloak foundation you already trust.