Built-in Security Key Authenticators in Gluu Casa

Multi-Factor Authentication your Way

Everyone knows passwords are bad. Try typing your password into a game console. Usability is terrible. Password security is even worse. The attack surface area of passwords is large and getting larger every day.  So why don’t all organizations use Multi-Factor Authentication (MFA)?

The answer is simple. While other authentication technologies are more secure than passwords and more usable, they are more difficult for organizations to deploy. Organizations know how to enroll passwords and how to reset them.  But will your organization manage all your MFA technologies under a single roof?

Casa provides a single point of management for end users to view, enroll, and remove MFA credentials, including hardware tokens, software tokens, commercial services (like Duo), social login, biometrics, and mobile.  Casa is also extensible. As new authentication technologies arise, you can download plugins to leverage them in your organization–through Casa.  


Login with or without Passwords

Step 1

Step 2


Self-Service MFA Done Right

In the old days “password-reset” was a standard identity management (IDM) feature. Every IDM still has this capability today.  But as organizations roll out MFA, this “password-reset” process needs an upgrade. Consumer service providers that excel at security, like Google and Github, enable end-users to see all their MFA credentials on one page; end users can also add and remove new credentials. Organizations also need this capability. That’s why we build Gluu Casa. So your organization can manage MFA like the pros.

Eliminate Phishing with FIDO

To defeat phishing, we need to stop the “Man in the Middle(MITM) attack. Passwords are vulnerable, but so are OTP tokens and mobile push notifications–any authentication that relies on an out-of-band authentication mechanism is phishable. To fight phishing, we need to enable end-users to register authentication credentials that are connected directly to the web browser.   FIDO (i.e. WebAuthn) is a critical tool to accomplish this. But the great thing about FIDO is that end-users can bring their own devices, for example, laptops and phones enabled with FIDO capabilities.  But without self-service tools like Casa, end-users won’t have the tools to enroll their devices (or to remove old devices). 

Modern Multi-Factor Authentication

Adaptive Authentication

Create a profile for each user, which includes information such as the user’s geographical location, registered devices, role, and more. Each time someone tries to authenticate, the request is evaluated and assigned a risk score. Depending on the risk score, the user may be required to provide additional credentials.

Location-based Authentication

Configure geo-location to trigger a requirement to use multi-factor authentication (MFA) or take other steps before access is granted to ensure the person is who they say they are since they’re attempting to log in from a location they wouldn’t normally be.

Trusted Browser

Configure web browsers to require verification. When you log in, you’ll be asked to verify your browser by entering your email, password, and a security code. Once you’ve entered these credentials, your browser will be considered verified.

Deploy cloud-native

If you love Kubernetes, or services like Amazon EKS, Google GKS or SUSE Rancher, then Casa is for you! Casa supports cloud-native deployments using standard tools like Helm. Casa also supports multiple database backends, including LDAP, Couchbase, RDBMS, Amazon Aurora, and Google Spanner.

Enforce strong authentication

Only the right user on the right device can gain access to applications. Improve your organization's security posture by locking the front door! Casa offers an OpenID Connect API as the interface and returns a standard JWT "id_token" that can be used for policy enforcement.

No more password resets

Users can easily enroll, manage and remove passwordless credentials on all their devices without calling the help desk or degrading the security of the credentials. An organization's MFA is only as strong as the weakest account recovery workflow!

Casa is a standards-based authentication platform that supports a wide range of commercial authentication solutions

Built-in MFA that comes out of the box!

FIDO / WebAuthn

Many great USB, Bluetooth, and Lightning tokens are available from vendors like Yubico, Feitian, AuthnTrend, and others.  But new iPhones and MacBooks also have FIDO built-in. You can’t “top-down” provision FIDO for users.  Casa is an essential tool to roll out FIDO which requires end-users to enroll their devices. 

Super Gluu, a free iOS / Android App

Super Gluu can be configured to support a passwordless authentication workflow where the user scans a QR code for each sign-in, or simply enters a username and approves a push notification.  It can also be used for traditional username + password + mobile push authentication. With an open-source software project, your organization can also brand and distribute your own version of Super Gluu.

Built-in HOTP / TOTP

Sometimes good old OATH tokens (HOTP/TOTP) are handy. Some devices just don’t support any mechanism to display a web page, and sending an OTP as the password mitigates some risk. Casa supports using a QR code to enroll an OTP software app (like Google Authenticator). You can also enroll a hardware OTP hardware device (e.g. a keyfob), manually or via an API. 

Plugins offer more MFA options

Casa is a plugin-oriented, Java web application. Existing functionality can be extended and new functionality and APIs can be introduced through plugins.


BioID Web Service offers liveness detection and facial recognition biometric authentication service. It strengthens identity verification around the world with reliable, device-independent anti-spoofing. BioID liveness detection is compliant with ISO/IEC 30107-3 and offers seamless implementation and user experience, requiring nothing more than a few selfies taken with any standard camera.


Multi-factor authentication from Cisco’s Duo protects your applications by using a second source of validation, like a phone or token, to verify user identity before granting access. Duo is engineered to provide a simple, streamlined login experience for every user and application, and as a cloud-based solution, it integrates easily with your existing technology.


Stytch consolidates passwordless authentication into one API.
Now supported in both Gluu Server, and Gluu Casa!

Watch the demo:  Integrating Stytch SMS OTP authentication with Casa

Read the post: OpenID enables Stytch passwordless authentication with Gluu Casa


SMS OTP plugin sends a one time password (OTP) with the SMS text to the user’s phone. The user receives the OTP and enters it on the device where the authentication is happening. The OTP must be used within a specific time frame.

X.509 Certificate

The browser certificate plugin allows users to enroll X.509 digital certificates and use them as a form of second factor authentication.


When this plugin is configured to use email, the user is asked to enter their email address, to which a a one-time-use code is sent. The user then enters the code into your application to authenticate.

Registration Approval

Configure self-registration to require approval, after a new directory user registers. Users will not be able to sign-in immediately after registration. Their registration will have to be approved by the site administrator.

RSA SecurID Authentication

RSA SecurID authentication can be enforced for all privileged users of the organization. This integration provides an extra security layer enabling a centralized, secure access via single sign-on to an organization’s IT assets.

Consent Management

The Consent Management plugin gives end-users the ability to view and revoke previously granted authorizations provided to applications accessed with their account in a Gluu Server.

Casa is included with the Gluu Server

« »