Trigger OTP Only When Risk Demands It

Why force users through MFA every time? With Keymate's risk-adaptive authenticator, one-time passwords are requested only when contextual conditions indicate elevated risk—like login from an unusual IP, time window, or location.

Risk-Aware OTP Challenge Triggered by Real-Time Conditions

Why It Matters

MFA fatigue is real. Users grow tired of repetitive, unnecessary authentication prompts. Keymate's Event-Based OTP Authenticator enables a Risk-Adaptive Access Control (RADAC) model by:

Evaluating IP, time of day, device, and geolocation before triggering OTP
Reducing friction during low-risk logins
Enhancing protection for sensitive operations or suspicious behavior
Integrating seamlessly into Keycloak login flows

This improves security without compromising user experience.

OTP When It Matters—Not When It Doesn't

When a user logs in:

Risk-Adaptive OTP Challenge

This fine-grained control results in a smarter, more secure IAM flow.

Example: OTP is only triggered when the session context meets certain risk criteria.

Key Components:

A risk engine evaluates the session context: IP, time, location, device, behavior history

If risk exceeds a configured threshold, OTP challenge is enforced

Otherwise, the login proceeds without interruption

OTP decision is recorded in session notes and audit logs for traceability

You can customize rules per realm, tenant, or user role

Extension Highlights — What Makes It Unique

Context-Aware Triggers

Evaluates IP, login hour, geolocation, session history, and more

Custom Risk Rules

Define per-tenant or per-user OTP enforcement rules

Seamless Flow Integration

Plug directly into Keycloak's authentication flow

Session Note Recording

Log OTP challenge triggers and reasons

Built-In Compatibility with RADAC

Pairs with Keymate's Risk Engine and DSL rules

Step-Up Ready

Use in conjunction with operation-level OTP policies (e.g. "approve invoice")

Frequently Asked Questions

No—it extends it. This module adds conditional logic to decide when to show OTP.

Yes. Risk logic is fully configurable per realm or globally via DSL or JSON rules.

No. It can also be used as step-up MFA during sensitive actions (e.g., role elevation, approval screens).

Yes. This extension natively consumes data from the Keymate Risk Engine and session context.

The authenticator calls Keycloak's OTP step only when the custom condition passes.

How to Use This Extension

Follow these steps to enable the Event-Based OTP Authenticator.

Implementation Steps

Deploy the extension JAR into Keycloak

Configure the authenticator in the desired login or step-up flow

Define your risk evaluation criteria (JSON or DSL rules)

Integrate with Keymate Risk Engine if desired

Monitor OTP challenges and outcomes via session notes and observability tools

ELEVATE YOUR IAM STRATEGY

Ready to Transform Your Keycloak Experience?

Implement fine-grained authorization, multi-tenant infrastructure, and comprehensive security policies with Keymate — built on the Keycloak foundation you already trust.