Configure Multi-Factor Authentication Settings

Configure tenant-specific Multi-Factor Authentication (MFA) settings and compliance policies that define which authentication factors that you want to allow.

To define MFA settings in Oracle Identity Cloud Service, you must be assigned to either the identity domain administrator role or the security administrator role.
  1. In the Oracle Identity Cloud Service console, expand the Navigation Drawer, click Security, and then MFA.
  2. Under Select the factors that you want to enable, select each of the factors that you want to be available for your users to select.

    Note:

    You must then either edit the default sign-on rule or add a new sign-on rule for MFA. In order for a user to be prompted for an additional authentication factor, the sign-on policy rule that is applied to that user must have these settings in the Edit... dialog box, Actions section:

    • Access is set to Allowed.
    • Prompt for additional factor selected.
    • Enrollment set to Required, or the user will be allowed to skip the additional authentication factor.

    See Add a Sign-On Policy.

  3. (Optional) Click the Configure link for MFA factors you have selected to configure them individually.

    You can do this later. If you want to configure these settings now, see Configure Authentication Factors.

  4. Use the Trusted Device(s) section to configure trusted device settings.

    Similar to “remember my computer,” trusted devices don’t require the user to provide secondary authentication each time that they sign in (for a defined time period).

  5. In the Factors section, set the Maximum number of enrolled factors that your users can configure.
  6. In the Login Rules section, set the Maximum unsuccessful MFA attempts that you want to allow a user to incorrectly provide MFA verification before being locked out.
  7. Click Save, and then click OK in the Confirmation window.
  8. Ensure that any sign-in policies that are active allow two-step authentication:
    1. In the Oracle Identity Cloud Service console, expand the Navigation Drawer, click Security, and then Sign-In Policies.
    2. On the Sign-In Policies page, click Default Sign-In Policy.
    3. On the Default Sign-In Policy, select the Sign-On Rules tab.
    4. In the Default Sign-On Rule row, click the Menu icon and select Edit.
    5. In the Edit Default Sign-On Rule dialog box, ensure that Actions is set to Allowed and Prompt for an additional factor is selected.
    6. If you changed any settings, click Save.
    7. If other sign-on policies have been added, follow steps c-d above for each of those policies to ensure that MFA is enabled under all conditions where you want it to be enabled.

      Note:

      The settings for the default sign-in rule enable MFA globally. Settings for other sign-in rules may override the default sign-in rule for users and groups specified by conditions for those rules. See Manage Oracle Identity Cloud Service Sign-On Policies.