Managing Multi-Factor Authentication
Multi-Factor Authentication (MFA) is a method of authentication that requires the use of more than one factor to verify a user’s identity.
With MFA enabled in an identity domain, when a user signs in to an application, they’re prompted for their user name and password, which is the first factor – something that they know. The user is then required to provide a second type of verification. The two factors work together to add an additional layer of security by using either additional information or a second device to verify the user’s identity and complete the login process.
MFA may include any two of the following:
-
Something that you know, like a passcode.
-
Something that you have, like a device.
-
Something that you are, like your fingerprint.
Users are increasingly connected, accessing their accounts and applications from anywhere. As an administrator, when you add MFA on top of the traditional user name and password, you reduce the likelihood of online identity theft and fraud, which secures your business applications even if an account password is compromised.
Securing IAM MFA with Oracle Best Practices
If you're using MFA with identity domains, we recommend that you set up MFA using Oracle best practices. See IAM MFAin the Security guide.
Using MFA in Restricted Realms
Not all MFA providers operate exclusively within restricted realm boundaries. Therefore, before enabling MFA features, we recommend that you carefully evaluate the MFA providers you may want to use, to ensure they operate within the bounds of a restricted realm and that they meet your organization’s security and compliance requirements.
Using Mobile Authenticator Apps with MFA
Using a mobile authenticator application for MFA provides a second factor of authentication in the form of a time-based one-time passcode (OTP) or push notification, and offers multiple options for implementing app protection and compliance policy.
A mobile authenticator app is a soft token that is installed on a mobile device. A mobile authenticator app uses either OTP or push notifications to prove that the user has possession of the mobile device. Only the mobile authenticator app that is in possession of the user's secret key can generate a valid OTP. During MFA enrollment, when a user scans the Quick Response (QR) code or uses the enrollment URL, the mobile authenticator app is automatically configured with the IAM server. The mobile authenticator app retrieves a secret key, which is required to generate the OTP and to receive push notifications on the mobile authenticator app. That secret key is then shared between the client and the IAM server. If the user is enrolling offline, IAM shares the secret with the Mobile Authenticator through a QR Code. If the user is enrolling online, IAM shares the secret with the Mobile Authenticator through the enrollment notification.
A user can use the mobile authenticator app to generate an OTP both online or offline. However, registering for push notifications and performing device compliance checks (jailbreak detection/PIN protection) can only be done while online.
- Mobile App Passcode: Use a mobile authenticator app, such as the Oracle Mobile Authenticator app, to generate an OTP. A new OTP is generated every 30-60 seconds and is valid for 90-180 seconds. After the user enters their user name and password, a prompt appears for the passcode. After generating the passcode using the mobile authenticator app, the user enters that code as the second verification method.
- Mobile App Notification: Send a push notification to the OMA app that contains an approval request to allow or deny a login attempt. After the user enters their user name and password, a login request is sent to their phone. The user taps Allow to authenticate.
The OMA app is available for Android, iOS, and Windows operating systems.
During MFA enrollment, a user must enter the key manually or use the enrollment URL when using the OMA app on a Surface Pro or Windows Desktop device. The QR code scanner can't be used due to a camera limitation. When a user enters that key manually, the OMA app supports only BASE32 encoding.
When you enable both the Mobile App Passcode and Mobile App Notification factors and a user is enrolled in Mobile App as a second method of verification, the Mobile App Notification factor is the default that is presented to the user. Users can change which factor they want to use by either selecting a different backup verification method when logging in or by selecting a different method as their default option. IAM users can use the OMA app or any supported third-party authenticator app that they want to generate OTPs. However, users must use the OMA app to receive push notifications.
IAM works with any third-party authenticator app (such as Google Authenticator) that adheres to the TOTP: Time-Based One-Time Password Algorithm specification. There are no special administrator configuration steps for third-party authenticator apps. When a user enrolls in MFA and selects Mobile App as the method, the user can either select the Enter Key Manually or Scan offline QR code options to set up third-party authenticators. We recommend the use of the OMA app as it supports notifications and security features such as app protection policy, compliance policy, and silent key refresh.
Multi-Factor Authentication (MFA) Authorization Flow
The authorization flows that support MFA are the Authorization Code Grant Type and SAML2 Assertion.
Authorization Flows that Don’t Support MFA:
-
Resource Owner Password Credentials Grant Type
-
Client Credentials Grant Type
-
Assertion Grant Type
-
Implicit Grant Type
Using the Console
Register a client application before you configure Multi-Factor Authentication (MFA) so that you have the credentials (Client ID and Client Secret) that are used for authentication in REST API calls. Oracle Support can use your Client ID and Client Secret to help you troubleshoot if you have issues, for example if you lock yourself out of an identity domain when configuring MFA.
- Open the navigation menu and click Identity & Security. Under Identity, click Domains. Select the identity domain you want to work in and click Applications.
- Click Add application.
- In the Add application window, click Confidential Application, and then click Launch workflow.
- In Add application details, enter an application name and description, and then click Next.
- Select Configure this application as a client now, and then, in the Authorization section that appears, select only Client Credentials as the Allowed Grant Type.
- Scroll down, and select Add app roles and then Add roles.
- In the Add app roles dialog window, select Identity Domain Administrator in the list, and then click Add.
- Click Next and then click Finish.
- On the application detail page, scroll down to General Information. Copy the Client ID and the Client Secret and store it in a safe place.
- Click Activate, after the application is created.
Configure multi-factor authentication (MFA) settings and compliance policies that define which authentication factors that you want to allow and then configure the MFA factors.
- Create a test user in a test identity domain. Use that identity domain to set up MFA for the first time. See Creating an Identity Domain and Creating a User.
- Set up a client application to enable access to your identity domain using the REST API in case your Sign-On Policy configuration locks you out. If you don’t set up this client application and a Sign-On Policy configuration restricts access to everyone, then all users are locked out of the identity domain until you contact Oracle Support. For information about setting up the Client Application, see Registering a Client Application.
To define MFA settings, you must be assigned to either the identity domain administrator role or the security administrator role.
- Enable MFA for a test account. See Configuring an Additional 2–step Verification Method.
- Sign out of the Console.
- Sign in as the test user. You should be prompted for a second factor.
You can configure the following authentication factors for an identity domain.
- Security Questions: Prompt the user to answer security questions to verify their identity. After the user enters their user name and password, they must answer a defined number of security questions as the second verification method.
- Email: Send a one-time passcode in an email to the user. After the user selects Email as the authentication method, IAM sends a one-time passcode to the user’s primary email address for use as a second verification method. The user’s primary email (Email) address is defined in the user’s IAM account.
- Duo Security: Enable Duo Security as an MFA Factor so that users use the Duo App or other Duo factors to authenticate. If Duo Security is enabled, users that have not enrolled are prompted to do so when a Sign-On policy triggers an MFA verification.
- Fast ID Online (FIDO): Configure FIDO authentication so that users can use their FIDO authentication device, for example an external authentication device such as a YubiKey, or an internal device such as Windows Hello or Mac Touch ID, to authenticate to an identity domain.
- Mobile App Passcode: Use an authenticator app, such as the Oracle Mobile
Authenticator (OMA) app to generate an OTP. An OTP can be generated even when the
user's device is offline. After the user enters their user name and password, a
prompt appears for the passcode. The user obtains a generated passcode from the app,
and then enters the code as the second verification method.
IAM also works with any third-party authentication app that adheres to the TOTP: Time-Based One-Time Password Algorithm specification, such as the Google Authenticator.
- Mobile App Notification: Send a push notification that contains an approval request to allow or deny a login attempt. Push notifications are an easy and quick way to authenticate. After the user enters their user name and password, a login request is sent to the app on their phone. The user taps Allow to authenticate.
- Text Message (SMS) or Phone Call: Send a passcode as a text message (SMS) or as a phone call to the user. This method is useful for users without Internet connectivity. After the user enters their user name and password, IAM sends a passcode to their device for use as a second verification method.
- Bypass Code: Use the IAM self-service console to generate bypass codes. The ability to generate a bypass code is available to the user after the user enrolls in 2-Step Verification. Users can generate bypass codes and save for use later. User-generated bypass codes never expire, but can only be used once. Users also have the option to contact an administrator to obtain a bypass code for access.
Configure security questions settings, select the security questions that a user may use as a second verification method during sign-in, and add custom security questions.
- Open the navigation menu and click Identity & Security. Under Identity, click Domains. Select the identity domain you want to work in and click Security and then Two-factor authentication. Click Security questions.
- In the Security questions settings section, set options for
answer length and the number of questions a user is asked.
- Minimum number of questions: The minimum number of security questions a user must configure.
- Minimum answer length (characters): The minimum number of characters that must be contained in each security question answer.
- Number of security questions a user is asked: The default number of
security questions that a user must set up is set to three. Note
This value can't be changed using the user interface. If you need to change this number, you must use the/SecurityQuestionSettings
endpoint.
- In
the Manage security questions section, select the check boxes for the
questions that you want to use. To disable a default security question, clear the
check box for that question.
- Select the Language in which you want to view the questions.
- To add a custom security question:
- Click Add question.
- In the Add a security question page, enter the custom security question in the Default language field. Optionally, enter the translated question text into the appropriate language row. When you view the custom security questions in a different language, those questions appear in your default language if you don’t provide translated question text.
- Click Save.
- Confirm your changes.
Your custom question is added at the bottom of the user-defined Questions list.
- To edit a custom question:
- Locate the custom question in the user-defined Questions list.
- Click the menu to the right of the question and select Edit.
- Make your changes and click Save.
- To remove a custom question:
- Locate the custom question in the user-defined Questions list.
- Click the menu to the right of the question and select Remove.
- Click Remove in the confirmation dialog box.
Configure passcode settings for sending users a one-time passcode (OTP) as a text message or as a phone call. Use a text message template to create the wording in the text message and use a phone call template to configure the phone call.
Configure settings for sending a one-time passcode (OTP) to a user's primary email address.
- Open the navigation menu and click Identity & Security. Under Identity, click Domains. Select the identity domain you want to work in and click Security and then Two-factor authentication. Click Email.
- In the Configure the email settings for MFA section, set the passcode length and the passcode validity.
- In the Configure the email settings for account recovery and activation section, configure activation and password reset validity and whether you want to allow the user to add an alternate email address for account recovery.
- Click Save changes.
- Confirm your changes.
- Open the navigation menu and click Identity & Security. Under Identity, click Domains.Select the identity domain you want to work in and click Settings and then Notifications.
- Select the Email templates tab.
The template name is 2-Step email one-time passcode verification.
If you have implemented or want to implement Duo security as a third-party multi-factor authentication (MFA) solution, and IAM manages your primary authentication and identity management, you can connect to and integrate with Duo to secure Oracle IaaS, PaaS, or SaaS applications or to secure applications already secured by IAM.
- Download and install the Duo Mobile app from the Google Play Store or the Apple Store.
Configure FIDO authentication so that users can authenticate with an external authentication device such as a YubiKey, or an internal device such as Windows Hello or Mac Touch ID.
Configure policy for the time-based one-time passcode (OTP), and protection and compliance policies for the Oracle Mobile Authenticator (OMA) app.
Configure settings for sending a passcode as a text message (SMS) to the user. This method is useful for users without Internet connectivity.