Managing 2-Step Verification
2-step verification is an authentication method that requires you to use more than one way of verifying your identity, providing a second layer of security to your account.
The tasks in this section are for users to perform to set up 2-step verification to sign in to an identity domain using the options configured by an administrator. If you're an administrator that needs to set up MFA for an identity domain, see Managing Multifactor Authentication.
When you sign in to an identity domain, you’re prompted for your username and password, which is the first factor. You then might be required to provide a second type of verification. Providing a second type of verification is called 2-Step Verification. The two factors work together to add an additional layer of security by using either additional information or a second device to verify your identity and complete the sign-in process.
Registering for 2-Step Verification
Register for 2–step verification for your account either during sign in after you enter your user name and password at the login page or using the 2–step verification page from the self-service My profile console. Also, use the 2–step verification page to perform tasks such as enabling and disabling 2–step verification, setting up authentication factors, trusting a device, and generating bypass codes.
Supported 2–Step Verification Factors
The 2-step verification factors that are available for you to set are dependent upon the selections your identity domain administrator or security administrator made when they set up 2-factor verification for your identity domain. For example, if your administrator disabled email as a 2-factor verification factor, then you can’t use email. 2-step verification factors that aren't enabled don't appear in the Security tab of the My profile console.
The following 2–step verification factors are supported:
- Security Questions: Answer security questions to verify your identity. After you enter their your username and password, you must answer a defined number of security questions as the second verification factor.
- Email: Send a one-time passcode in an email to your primary email address for use as a second verification factor.
- Duo Security: Use the Duo App or other Duo factors to authenticate.
- Fast ID Online (FIDO): Use a FIDO authentication device, for example an external authentication device such as a YubiKey, or an internal device such as Windows Hello or Mac Touch ID, to authenticate to an identity domain.
- Mobile App Passcode: Use an authenticator app, such as the Oracle Mobile Authenticator (OMA) app to generate an OTP. An OTP can be generated even when your device is offline. After you enter your username and password, a prompt appears for the passcode. You get a generated passcode from the app, and then enters the code as the second verification factor. IAM also works with any third-party authentication app that adheres to the TOTP: Time-Based One-Time Password Algorithm specification, such as the Google Authenticator.
- Mobile App Notification: Receive a push notification that contains an approval request to allow or deny a login attempt. Push notifications are an easy and quick way to authenticate. After you enter your user name and password, a login request is sent to the app on your phone. You tap Allow to authenticate.
- Text Message (SMS) or Phone Call: Receive a passcode as a text message (SMS) or as a phone call. This factor is useful when you don't have Internet connectivity. After you enter your username and password, IAM sends a passcode to your device for use as a second verification factor.
- Bypass Code: Use the IAM self-service console to generate bypass codes. The ability to generate a bypass code is available after you enroll in 2-Step Verification. You can generate bypass codes and save them to use later. User-generated bypass codes never expire, but can only be used once. You also have the option to contact an administrator to obtain a bypass code for access.
This section contains the following tasks: