Keycloak has recently expanded the default multi-factor authentication (MFA) options with supported Recovery Codes, which you can use if you don’t have access to your OTP device (e.g. your phone) and WebAuthN. The latest release also improved the user experience dramatically for passwordless authentication using Passkeys.

In my talk, I will explain how to use MFA correctly, what it is and what it is not. Afterwards, I’ll show hands-on how to configure Keycloak for proper MFA usage and how you also can use passwordless authentication using Passkeys in parallel to traditional authentication with username, password and MFA.