When starting your free and open source multi-factor authentication (MFA) implementation, consider:
- Enterprise-grade MFA solutions: Keycloak, Authelia, Authentik, Zitadel, and Kanidm that provide full-fledged identity and access management (IAM) with several authentication protocols.
- Lightweight MFA tools: Hanko, LLDAP, FreeIPA, privacyIDEA, and Rauthy, which are simpler to configure and manage for smaller or self-hosted setups.
| Tool | Focus | |
|---|---|---|
1. | Enterprise-ready IAM | |
2. | Self-hosted 2FA and SSO for smaller setups | |
3. | IAM for small to medium setups | |
4. | Enterprise-ready IAM | |
5. | IAM with broad built-in features like OAuth2/OIDC | |
6. | Passwordless authentication with MFA features | |
7. | Lightweight, self-hosted LDAP server for basic directory services | |
8. | MFA-focused system with OTP and security key support | |
9. | IAM for Linux/UNIX environments | |
10. | Lightweight OpenID Connect (OIDC) provider | |
Features of open source MFA solutions
| Tool | Multi-tenancy architecture | Token impersonation | Biometric authentication | Google Titan key support |
|---|---|---|---|---|
| Keycloak | ✅ | ✅ | Limited (via extensions) | ✅ |
| Authelia | ❌ | Limited (via extensions) | ❌ | ❌ |
| Authentik | ✅ | ✅ | Limited (via extensions) | ✅ |
| Zitadel | ✅ | ✅ | Limited (via extensions) | ❌ |
| Kanidm | ❌ | ✅ | Limited (via extensions) | ❌ |
| Hanko | ❌ | ❌ | ✅ | ❌ |
| LLDAP | ❌ | ❌ | ❌ | ❌ |
| privacyIDEA | ✅ | ❌ | ✅ | ❌ |
| FreeIPA | ❌ | ❌ | ❌ | ❌ |
| Rauthy | ❌ | ❌ | ❌ | ❌ |
- Multi-tenancy architecture: Allows multiple independent user groups or tenants with isolated data and configurations.
- Token impersonation: Allows secure token delegation or impersonation of a user/application for authorized actions.
- Biometric authentication: Offers biometric factors like fingerprints.
- Google Titan Security Key: A hardware-based authentication device that provides phishing-resistant 2FA or passwordless login.
→ All tools (except LLDAP) offer compatibility with hardware tokens (e.g., YubiKey) and FIDO2 / WebAuthN passwordless API authentication protocol. FIDO2 does not use shared secrets, like passwords, it minimizes vulnerabilities associated with data breaches.
Enterprise features
| Tool | OpenTelemetry | Custom sessions | Self-service features |
|---|---|---|---|
| Keycloak | ✅ | ✅ | ✅ |
| Authelia | ❌ | ✅ | ✅ |
| Authentik | ❌ | ✅ | ✅ |
| Zitadel | ✅ | ✅ | ✅ |
| Kanidm | ✅ | ❌ | ✅ |
| Hanko | ❌ | ❌ | ✅ |
| LLDAP | ❌ | ❌ | ❌ |
| privacyIDEA | ❌ | ❌ | ✅ |
| FreeIPA | ❌ | ❌ | ✅ |
| Rauthy | ❌ | ❌ | ❌ |
- OpenTelemetry: Open-source standard and a set of technologies for capturing and exporting metrics, traces, and logs.
- Custom sessions: Allows fine-grained control over session behaviors, such as:
- How and when MFA is triggered (e.g., at login, for sensitive actions).
- The type of MFA methods supported (e.g., TOTP, WebAuthn, SMS)
- Self-service features:
- Password reset
- User enrollment
Read more: MFA use cases, MFA examples, MFA pricing.
Privileged access management (PAM) support
| Tool | PAM support | Explanation |
|---|---|---|
| Keycloak | ⚠️ via integrations | OAuth2 PAM modules for Linux |
| Authelia | ❌ | Web-only, no system login support |
| Authentik | ❌ | Web-only, no system login support |
| Zitadel | ❌ | Only supports OAuth2/OIDC for apps. |
| Kanidm | ✅ | pam_kanidm module for Linux. |
| Hanko | ❌ | Web-only, no system login support |
| LLDAP | ⚠️ via integrations | pam_ldap module for Solaris and Linux |
| privacyIDEA | ✅ | privacyidea-pam module |
| FreeIPA | ✅ | Full native PAM support for Linux |
| Rauthy | ❌ | Web-only, no system login support |
Tools with PAM allow you to manage the access rights of privileged users.
Self-audit capabilities
| Tool | Self-audit | Explanation |
|---|---|---|
| Keycloak | ✅ | Logs admin actions, logins, token use, role changes |
| Authelia | ✅ | Logs auth flows, policies; YAML-configured + Grafana/Prometheus logging |
| Authentik | ✅ | Tracks admin logins, tokens; UI + Grafana/Prometheus logging |
| Zitadel | ✅ | Tracks logins, tokens, events |
| Kanidm | ✅ | CLI logs via journal/JSON |
| Hanko | ⚠️ Limited | Uses system logs |
| LLDAP | ⚠️ Limited | Uses system logs |
| privacyIDEA | ✅ | Logs tokens, admin changes, auths |
| FreeIPA | ✅ | Logs via auditd, sssd, Kerberos |
| Rauthy | ⚠️ Limited | Uses system logs |
Self-audit capabilities enhance log traceability, which is critical for MFA (multi-factor authentication) tools. They help track unauthorized or suspicious activity, such as enabling/disabling MFA, failed login attempts, and OTP usage.
>Enterprise-grade MFA solutions
Keycloak, Authelia, Authentik, Zitadel, and Kanidm offer extensive MFA capabilities. These free MFA tools offer:
- Several MFA methods: TOTP (time-based one-time password), WebAuthn, SMS, OIDC (OpenID Connect), Email, Push, biometric authentication, and approval-based MFA.
- Several authentication protocols: OAuth2, OIDC (OpenID Connect), SAML, LDAP, and RADIUS.
- Higher customization: Granular RBAC, and custom social SSO connections (OIDC/OAuth2) over MFA policies.
Keycloak
Keycloak is an open-source identity and access management (IAM) tool that allows you to manage authentication processes with minimal scripting. It supports several features such as single sign-on (SSO), identity brokering, social login, and role-based access control (RBAC).
Why we like it: Keycloak is enterprise-ready, backed by Red Hat, supports Java, and offers features like OpenTelemetry, federation, built-in LDAP or OpenLDAP integration, and broad protocol support (SAML, OAuth2, etc.).
The solution uses a MySQL database to store its users. This helps ensure reliable, scalable data storage for enterprise-grade applications since MySQL integrates well with other enterprise systems and supports complex queries.
Additionally, its documentation is well-structured, providing step-by-step instructions for configuring integrations.
Limitations: Note that, Keycloak is complex, unintuitive, and more difficult to install and configure compared to other MFA solutions such as Authelia and Authentik. The default Keycloak admin UI can be overwhelming for functional teams, however, you can mitigate this by building a simplified custom interface for common tasks like user management.
Authelia
Authelia is a configuration file with secrets that offers two-factor authentication and single sign-on (SSO) for your applications through a web gateway. Hence, it is much simpler and easier to manage compared to Keycloak. This makes it suitable for self-hosters with minimal UI dependency.
Moreover, the tool has an active Discord server and well-structured documentation.
Key features:
- Security keys that work with FIDO2 WebAuthn devices, such as the YubiKey.
- Time-based one-time password that works with compatible authenticator programs.
- Mobile push notifications.
- Role-based access control (RBAC).
- Kubernetes support
Authentik
Authentik is a lightweight solution compared to alternatives like Keycloak, with a less steep learning curve for smaller or less experienced teams.
It is self-hosted and supports several authentication methods (LDAP, SSO, OAuth2/OpenID, forward auth, etc.), making it adaptable to different setups.
However, Authentik lacks professional security audits. Additionally, it requires PostgreSQL and Redis, which can be overwhelming for small-scale setups or personal use.
ZITADEL
ZITADEL is an open-source identity infrastructure platform that combines Auth0 with Keycloak’s open-source commitment. It offers multi-tenancy, secure login, and self-service capabilities and supports several protocols, including OpenID Connect, OAuth2, and SAML 2.
One of ZITADEL’s main differentiating features is its multi-tenancy design. It is ideal for B2B customer and partner management, as it supports both Postgres databases.
Additionally, the solution provides several deployment options, including Linux, macOS, Docker compose, Knative, and Kubernetes.
Kanidm
Kanidm’s key advantage over other tools is that it has a broader range of “built-in” functionalities, such as OAuth2 and OIDC. To use these from other tools, you will need an external portal like Keycloak. Additionally, Kanidm currently only offers administration functionality via its CLI.
If Kanidm is too complicated for your purposes, consider LLDAP as a simpler option. If you are looking for a project with a broader feature set out of the box, Kanidm is a better option.
>Lightweight MFA tools
Hanko, LLDAP, FreeIPA, privacyIDEA, and Rauthy provide light MFA capabilities. These free MFA tools offer:
- Limited MFA methods: TOTP (time-based one-time password), WebAuthn, SMS, OIDC (OpenID Connect).
- Limited protocols: Focusing on basic integrations (e.g., OAuth or simple password-based login with TOTP).
- Low customization: Minimal options for customization (e.g., no support for custom social SSO connections or custom user metadata).
Hanko
Hanko is a passwordless authentication and toolset, it supports some MFA features (TOTP, security keys).
Key features:
- ✅ Email/username identifiers
- ✅ Passwords, passcodes, passkeys
- ✅ OAuth SSO (Sign in with Apple/Google/GitHub etc.)
- ✅ Custom SAML SSO
- ✅ Webhooks (automated messages sent from apps)
- ✅ Server-side sessions & remote session revocation
- ✅ MFA (TOTP, security keys)
- ❌ Custom Social SSO connections (OIDC/OAuth2)
- ❌ Privileged sessions & step-up authentication (2FA)
- ❌ User impersonation
- ❌ Email security notifications
- ❌ Custom user metadata
LLDAP
LLDAP is a lightweight LDAP server designed for simplicity and ease of use. It provides basic directory services.
It integrates with several backends, including KeyCloak, Authelia, and Nextcloud. The server also includes a front-end interface, allowing users to change their information or reset their passwords by email.
LLDAP primarily targets self-hosting servers, including open-source components such as Nextcloud and Airsonic, which only enable LDAP for external authentication. The data is kept in SQLite by default, but you can switch to MySQL/MariaDB or PostgreSQL.
For additional functionality (OAuth/OpenID support, reverse proxy, etc.), you can install other components (KeyCloak, Authelia, etc.).
privacyIDEA
privacyIDEA is only an MFA authentication, OTP server, and management system. It is a system that manages a large number of authentication objects centrally.
It does not include authentication protocols (e.g., Kerberos protocol) as a built-in component. All authentication protocols are handled by plugins from tools like Keycloak and Gluu. Notably, privacyIDEA can be integrated with FreeIPA to extend its authentication capabilities.
It focuses on managing 2nd factors, including:
- OTP tokens (HMAC, HOTP, TOTP, OCRA, mOTP)
- Yubikey (HOTP, TOTP, AES), FIDO U2F
- FIDO2 WebAuthn devices such as Yubikey and Plug-Up
- Smartphone apps such as Google Authenticator, SMS, Email, and SSH keys
Additionally, privacyIDEA supports custom automation cases required for 2FA procedures such as enrollment, rollover, onboarding, and offboarding. This makes its environment more complicated.
Thus, users looking to leverage heavy automation with privacyIDEA may require customized API integrations rather than just using TOTP from Keycloak out of the box.
FreeIPA
FreeIPA is an open source alternative to AD for Linux administrators. It helps to centrally manage the identity, authentication, and access control aspects of Linux and UNIX systems, providing command-line and web management tools.
Includes more components than LLDAP, such as the LDAP directory, Kerberos protocol, DNS Servers, and administrative tools, and it comes with its own schemas.
It supports various MFA features (e.g., biometric authentication) and offers more resources and configuration options compared to lighter solutions like LLDAP or privacyIDEA.
Components: FreeIPA project provides installation and management tools for the following components:
- LDAP server
- Kerberos server
- DNS server
- Samba libraries for Active Directory integration
Rauthy
Rauthy is a lightweight openID connect (OIDC) provider supporting WebAuthn but lacks additional capabilities such as RADIUS or Unix authentication. Similar to privacyIDEA, Rauthy requires you to integrate authentication protocols via plugins.
Rauthy’s distinctive feature is its social login support. It enables users to sign in using mainstream identity providers like GitHub, Google, or Microsoft, simplifying onboarding for users already tied to Big Tech ecosystems.
FAQ about MFA
What is MFA?
Multi-factor authentication (MFA) requires the user to provide two or more verification factors to access a resource such as an application, online account, or VPN. It is essential to have an effective identity and access management (IAM) policy. Rather than simply requesting a username and password, MFA requires one or more verification factors, reducing the likelihood of a successful cyber attack.
How does MFA work?
MFA works by requesting additional verification data (factors). One-time passwords are one of the most common MFA factors that users encounter.
OTPs are those 4-8-digit codes that you frequently receive via email, SMS, or a mobile app. OTPs generate a new code regularly or whenever an authentication request is submitted. The code is generated using a seed value assigned to the user when they first register, as well as another factor, which could be anything from an incremented counter to a time value.
How does MFA enhance security?
Consider your password to be similar to a front door lock. If someone discovers your password, it is as if they have found the key to the lock. Without MFA, they can stroll right in.
However, MFA asks users for extra verification, such as inputting a code sent to their phone or scanning their fingerprint.
This extra step makes it much harder for attackers to break in. Even if a third party obtains one type of authentication (such as your password), they will still need a second or third factor, which is more difficult to acquire.
Comments
Your email address will not be published. All fields are required.