MFA—Only When It Counts

Not every click needs a challenge. With Keymate's Step-Up Authenticator, trigger Multi-Factor Authentication (MFA) dynamically—only when users access high-value resources or perform sensitive actions.

On-Demand Multi-Factor Challenges for Sensitive Actions

Why It Matters

Always-on MFA can frustrate users and increase login abandonment. But skipping MFA entirely weakens security. Step-Up MFA offers a smarter balance by enforcing additional authentication:

Only for selected resources or operations
Based on real-time session context or risk levels
Without forcing MFA at every login

Ideal for financial apps, public portals, B2B tools, and government systems where certain actions must require re-affirmed user presence.

Login Once, Authenticate Again—If Risk or Action Demands It

Once a user is logged in, the Step-Up Authenticator:

Dynamic Step-Up Authentication Flow

This approach ensures minimum friction and maximum assurance—right when it's needed most.

Example: MFA is triggered mid-session based on the action or context.

Key Components:

Monitors protected endpoints or actions (e.g., "approve invoice", "view salary", "elevate role")

Evaluates context: risk score, time, IP, geo, session flags

If step-up is required, it dynamically invokes the configured MFA flow

Records the challenge, result, and rationale in session notes and audit logs

Ensures the elevated trust level is temporary and scoped

Extension Highlights — What Makes It Unique

Action-Based MFA Trigger

Define protected actions or endpoints requiring extra MFA

Integrated with Authorization DSL

Use token context or custom conditions to determine enforcement

Compatible with All MFA Methods

OTP, biometrics, WebAuthn, push-based—choose your method

Token Trust Level Upgrades

After successful challenge, issue elevated-scope token

Built-In Session Expiry

Automatically downgrade trust level after TTL or activity timeout

Tenant-Specific Rules

Vary step-up enforcement by tenant, user group, or risk profile

Frequently Asked Questions

Standard MFA is applied during login. Step-Up MFA enforces re-authentication mid-session—based on action or context.

Yes. You define the rules—based on resource path, user role, risk score, or other token/session attributes.

Optionally yes. You can configure elevated-scope tokens with shorter TTLs post challenge.

Absolutely. Any MFA method supported by Keycloak is compatible.

Yes. Enforcement logic can differ across tenants, user groups, or environments.

How to Use This Extension

Follow these steps to enable the MFA Step-Up Authenticator.

Implementation Steps

Deploy the authenticator extension JAR into your Keycloak instance

Define MFA step-up rules using DSL or JSON logic

Configure protected resources or action triggers

Set token behavior after successful MFA challenge (TTL, scope)

Monitor step-up events in session logs and audit dashboard

ELEVATE YOUR IAM STRATEGY

Ready to Transform Your Keycloak Experience?

Implement fine-grained authorization, multi-tenant infrastructure, and comprehensive security policies with Keymate — built on the Keycloak foundation you already trust.