Oracle by Example brandingUse YubiKey as Your Second-Factor Authentication Device in Oracle Identity Cloud Service

section 0Before You Begin

This 10-minute tutorial shows you how to set up your Oracle Identity Cloud Service profile to allow you to use a Yubikey device as second-factor authentication to access Oracle Cloud or any applications integrated with Oracle Identity Cloud Service.

Background

Oracle Identity Cloud Service supports Time-based, One-Time Passcodes (TOTP or OTP) as one of the Multi-Factor Authentication methods. If you enable the Mobile OTP factor, then you must provide an OTP generated by your registered device during authentication.

By default, the Mobile OTP factor is configured to work with the Oracle Mobile Authenticator app as the device which generates the OTP, but you can use other types of devices such as a Yubikey device.

A Yubikey is a security key device that supports a number of authentication factors including TOTP. Security keys help you prevent phishing attacks when used as second-factor authentication by requiring users to prove that they have possession of a registered device. The Yubikey manufacturer provides an authenticator application called Yubico Authenticator application. This application enables you to generate an OTP that you submit to Oracle Identity Cloud Service during the second step of the authentication process.

Note: There are different ways to activate and generate the codes for security keys. Your key may require you to tap, press a button, or be scanned by a Near Field Communication (NFC) capable device to access the OTP. If you have difficulty registering, activating, or using your security key, then verify that your security key supports TOTP and NFC. Refer to the manufacturer's instructions for your device.

What Do You Need?

section 1Enable the Device in the 2-Step Verification Page

Add the Mobile App factor in the 2-Step Verification page and enable a Quick Response (QR) code for your device.

  1. Use your Oracle Cloud credentials to sign in to Oracle Identity Cloud Service.

    After you sign in, the Enable 2-Step Verification page opens.

  2. In the Enable 2-Step Verification page, click Enable.

    Note: If you have signed in before and skipped the Enable 2-Step Verification page, then access this page through the My Profile console. See Adding a 2–Step Verification Method from the Self-Service Console.

  3. In the Select a Method step, you see the list of factors enabled for your Oracle Identity Cloud Service environment. Click Mobile App.
    Application
    Description of this image
  4. In the Download and Configure the Mobile App step, select Scan offline QR code to generate a new QR code.
    Application
    Description of this image

    Note: By default, Oracle Identity Cloud Service presents a QR Code that's supported by the Oracle Mobile Authenticator app. The Yubico Authenticator application supports only the offline QR code mode.

section 2Register the Yubikey Device

You can use either the desktop or mobile version of the Yubico Authenticator application. Chose one and follow the corresponding section.

Use the Yubico Authenticator Desktop Application

  1. Run the Yubico Authenticator application in your desktop.
  2. Insert your Yubikey device in the USB port of your desktop. The Yubico Authenticator application reads the key and lists any credentials stored in the key.
  3. In the Yubico Authenticator application, click File, and then click Scan QR code. Make sure the QR code image is visible in your desktop.
  4. In the New credential window of the Yubico Authenticator application, select Require touch, and then click Save credential.

    Note: For security reasons, select Require touch so that the security key requires you to touch the key button before generating the code. This can prevent credential hijackers or malicious software from accessing your desktop to access any key stored in your device without your permission.

  5. Right-click the new entry that has been added to the Yubico Authenticator application, and then click Generate code.

    A message appears in the screen asking you to touch the key. Touch the key to generate an OTP.

  6. Enter the OTP in the Enter the passcode generated by the App field, and then click Verify.
    Application
    Description of this image
  7. After the Successfully Enrolled message appears in the screen, click Done.

Use the Yubico Authenticator Mobile Application

To use the Yubico Authenticator mobile application, you need an NFC-capable mobile device, with NFC enabled.

  1. Run the Yubico Authenticator application in your mobile device, click + to add a new Yubikey, click SCAN QR-CODE, and then point the device to the screen to scan the QR code.
  2. In the New credential screen of the Yubico Authenticator application, change the value of the Issuer field to mykey, and then click SAVE.
  3. Put your mobile device close enough to your security key for the NFC to identify the key.

    The Yubico Authenticator application now contains a new entry and an OTP appears in the mobile device screen.

  4. Enter the OTP in the Enter the passcode generated by the App field of the 2-Step Verification page, and then click Verify.
    Application
    Description of this image
  5. After the Successfully Enrolled message appears in the screen, click Done.

section 3Use the Yubikey Device During Authentication

Sign in to Oracle Identity Cloud Service and use the Yubikey device during second-step verification.

  1. Access any Oracle Identity Cloud Service protected application or sign in to Oracle Cloud.

    The Oracle Identity Cloud Service Sign In page opens.

  2. Provide your credentials, and then click Sign In.

    The 2-Step Verification page opens, requesting you to provide a Passcode.

  3. If you're using the Yubico Authentication desktop application, right-click the key you have registered, and then click Generate code to generate an OTP.

    If you're using the Yubico Authentication mobile application, put your mobile device close enough to your security key. After your device identifies the key, it generates an OTP.

  4. In the 2-Step Verification page, enter the OTP, and then click Verify.

    You're signed in to Oracle Identity Cloud Service.

section 4(Optional) Manage 2-Step Verification Devices

When you register your Yubikey device, Oracle Identity Cloud Service provides a name for the device. You can change the name or remove the device.

  1. Access the Oracle Identity Cloud Service My Profile console.
  2. Click the 2-Step Verification tab, and then click Manage.
  3. In the 2-Step Verification page, you can manage devices you have registered by clicking the Action menu Hamburguer Menu, and then selecting Rename or Remove.

more informationWant to Learn More?