Configure FIDO Security

Configure FIDO authentication so that users can use their FIDO authentication device, for example an external authentication device such as a YubiKey, or an internal device such as Windows Hello or Mac Touch ID, to authenticate to Oracle Identity Cloud Service.

Enable FIDO. This is Standard License feature. To learn about these features, see Standard License Tier Features for Oracle Identity Cloud Service.

  1. In the Oracle Identity Cloud Service console, expand the Navigation Drawer, click Security then MFA.
    The Multi-Factor Authentication (MFA) Settings page opens.
  2. Select FIDO Authenticator and click Configure.
    The FIDO Authenticator tab opens.
  3. Configure the FIDO Authenticator settings:
    • Timeout: The length of time the user has to take action. If the user doesn't take action within this period, there is an authentication failure. The default is 60,000 milliseconds (6 seconds).
    • Attestation: Not supported.
    • Authenticator Selection Attachment: Controls what type of authenticator user can use during Registration.
      • Platform. Windows Hello and Mac Touch ID.
      • Cross Platform. Choose to use a cross-platform authenticator such as YubiKey.
      • Both (default).
    • Authenticator Selection Resident Key: Whether Resident key support should be enabled.
      • Required.
      • Preferred.
      • Discouraged.
      • None (default). The private key is encrypted and stored on the server.
    • Authenticator Selection User Verification: Relying Party's requirements regarding user verification during Registration:
      • Required.
      • Preferred (default).
      • Discouraged.
    • Public Key Types: The cryptographic algorithm used to generate a public key pair during Registration. Oracle Identity Cloud Service certifies the ES256 (default) and RS256 algorithms. Note: The RS256 algorithm is mandatory for Windows Hello FIDO authentication.
    • Exclude Credentials: Used by Relying Parties to limit the creation of multiple credentials for the same account on a single authenticator. Default value is false.
FIDO Authentication is now an additional sign-in factor