Why Hardware Tokens?
Two Factor Authentication with Keycloak in Nubus is currently in a preview phase but will be part of the supported product scope in the future. The setup is documented in 4. Configuration — Univention Keycloak app manual 25.0.6
Keycloak supports TOTP for two factor authentication. In most cases, a smartphone App is used to generate the tokens. But in some cases end users don’t have or don’t want to use smartphones, but prefer hardware tokens.
Tested devices
There are several solutions in the market that allow TOTP on hardware tokens. The following devices worked in my test setup (Nubus for Kubernetes 1.5.1).
REINER SCT Authenticator
The device includes a camera to scan QR codes during the 2FA onboarding, so it can be initialized without any further Hard- or Software. The setup is straight forward and rather user friendly. It supports a large number of accounts and so can be used not only for one Nubus deployment but for 2FA in several other Applications. The device is the most expensive one in this comparsion.
The vendor offers also a smaller, more expensive version which should also work.
Token2 Molto 1
https://www.token2.swiss/shop/product/token2-molto-1-i-multi-profile-totp-hardware-token
The device offers support for up to 10 tokens and therefore can be used for other services beside the Nubus deployment.
The device needs a “companion App” on an NFC capable device for the initialization. I tested it using the Android App following the Documentation. The Documentation has outdated screenshots, but gives the needed information.
The setup itself was straight forward, but needs many steps and is not as user friendly as the REINERT SCT or an OTP Smartphone App. For example one needs to know how to initialize the programming mode of the device (switch device off, then long press the power button) which is not explained in the App – searching for it in the documentation lead me into a timeout and I had to re-login in Keycloak to newly start the onboarding.
The documentation mentions that it is also possible to use the integrated keypad to enter the initialization code instead of scanning the QR code – I haven’t tested that as it seemed to be very error-prone to me.
The daily use doesn’t need other devices than the Molto I and is user friendly.
Token 2 OTPC-P1-i
The device comes in “Credit Card” size and therefore is the smallest and cheapest one, but has support for only one token. The setup is similar to the “Molto 1”, which means it also needs an NFC capable device. I tested with the Android App (Attention: it is a different App then for the Molto I).
The setup is slightly simpler than for the Molto I as the card doesn’t need to switch to a programming mode. The daily use is very straight forward - there is only one button.
In contrast to the other two this device doesn’t offer a PIN protection.
Summary
Using TOTP Hardware tokens with Keycloak for 2FA is an option, if Smartphones are not available or not wanted. As of now, any device that claimed to support TOTP worked with Keycloak in Univention Nubus - the devices listed here are examples, there are more devices available.
While devices with integrated Camera like the REINERT SCT Authenticator are easier to setup and offer more functionality, there are other devices available which are smaller and cheaper but need a companion device (Smartphone or PC) for the initialization.
If your End Users need the easiest daily use, I recommend Credit Card size device and a person that helps these users with the initial setup. If you have several services which support OTP the slightly larger model is your choice.
If you want to hand out a device where most end users are able to do the Onboarding by themselfs I’d recommend those with integrated cameras to scan the QR code.