Enable Multi-Factor Authentication to Authenticate into Linux

Learn how to set up Multi-Factor Authentication (MFA) so Linux users can authenticate via multiple factors.

  1. Enable the MFA factors for your requirements. See Configure Multi-Factor Authentication Settings and Configure Authentication Factors
  2. Create a group for MFA, and add the POSIX Users to this group.
    1. Navigate to Groups > Add.
    2. Enter the Name of the group and click Next.
    3. Search for the POSIX users you want to enable for MFA.
    4. Select the users and click Finish.
  3. Create a Sign-On rule.
    1. Navigate to Security > Sign-On Policies and click Default Sign-On Policy.
    2. Click Sign-On Rules and then Add.
    3. Enter a Rule Name, and under Conditions in the field And is a member of these groups type and select the group that you created above. Under Actions make sure Access is set to Allowed and check the Prompt for an additional factor checkbox. Change the Enrollment to Optional and click Save.


      At present the only sign on policy that the Oracle Identity Cloud Service Linux Pluggable Authentication Module (PAM) supports, is the Default Sign-On Policy.
  4. Move the newly created sign-on rule to the top by clicking on the sign-on rule and dragging it to the top of the list. Click Save. This will ensure that this rule gets evaluated first so that users belonging to the chosen group are prompted for MFA when they sign in.
  5. Login to Oracle Identity Cloud Service as a user in the MFA Group, for example via https://identity-cloud-service-instance-url/ui/v1/myconsole
  6. Enroll the user in MFA and select the factors to enroll in.


    Backup factors are not currently supported with the Oracle Identity Cloud Service Linux PAM .
  7. Once the user is enrolled in MFA, test authentication on Linux:
    1. SSH into your Linux environment where the Oracle Identity Cloud Service Linux PAM is installed.
    2. When prompted enter the password for the Oracle Identity Cloud Service user.
    3. Enter the second factor with which to authenticate.
    For example, for a user who has configured SMS as their second factor:
    # ssh userPosix@host.example.com
    Complete 2-Step Verification
    An SMS that contains a passcode was sent to +1XXXXXXX455. Enter the passcode or use the following option, and then press Enter:
    r - Resend passcode
    Enter the passcode or an option (r):
    Last login: Thu Mar 28 16:18:52 2019 from localhost
    [userPosix@host ~]$