Configure FIDO Security

Configure FIDO authentication so that users can use their FIDO authentication device, for example an external authentication device such as a YubiKey, or an internal device such as Windows Hello or Mac Touch ID, to authenticate to Oracle Identity Cloud Service.

Enable FIDO. Oracle must enable this feature for you. To learn about the features that Oracle must enable for you and how to enable them, see Service Request Features for Oracle Identity Cloud Service.

  1. In the Oracle Identity Cloud Service console, expand the Navigation Drawer, click Security then MFA.
    The Multi-Factor Authentication (MFA) Settings page opens.
  2. Select FIDO Authenticator and click Configure.
    The FIDO Authenticator tab opens.
  3. Configure the FIDO Authenticator settings:
    • Timeout: The length of time the user has to take action. If the user doesn't take action within this period, there is an authentication failure. The default is 60,000 milliseconds (6 seconds).
    • Attestation: Not supported.
    • Authenticator Selection Attachment: Controls what type of authenticator user can use during Registration.
      • Platform. Windows Hello and Mac Touch ID.
      • Cross Platform. Choose to use a cross-platform authenticator such as YubiKey.
      • Both (default).
    • Authenticator Selection Resident Key: Whether Resident key support should be enabled.
      • Required.
      • Preferred.
      • Discouraged.
      • None (default). The private key is encrypted and stored on the server.
    • Authenticator Selection User Verification: Relying Party's requirements regarding user verification during Registration:
      • Required.
      • Preferred (default).
      • Discouraged.
    • Public Key Types: The cryptographic algorithm used to generate a public keypair during Registration. Oracle Identity Cloud Service only certifies ES256 (the default).
    • Exclude Credentials: Used by Relying Parties to limit the creation of multiple credentials for the same account on a single authenticator. Default value is false.
FIDO Authentication is now an additional sign-in factor