Learn About Using Mobile Authenticator Apps with MFA

Using a mobile authenticator application for MFA provides a second factor of authentication in the form of a time-based one-time passcode (OTP) or push notification, and offers multiple options for implementing app protection and compliance policy.

A mobile authenticator app is a soft token that is installed on a mobile device. A mobile authenticator app uses either OTP or push notifications to prove that the user has possession of the mobile device. Only the mobile authenticator app that is in possession of the user's secret key can generate a valid OTP. During MFA enrollment, when a user scans the Quick Response (QR) code or uses the enrollment URL, the mobile authenticator app is automatically configured with the Oracle Identity Cloud Service server. The mobile authenticator app retrieves a secret key, which is required to generate the OTP and to receive push notifications on the mobile authenticator app. That secret key is then shared between the client and the Oracle Identity Cloud Service server.

A user can use the mobile authenticator app to generate an OTP both online or offline. However, registering for push notifications and performing device compliance checks (jailbreak detection/PIN protection) can only be done while online.

  • Mobile App Passcode: Use a mobile authenticator app, such as the Oracle Mobile Authenticator app, to generate an OTP. A new OTP is generated every 30-60 seconds and is valid for 90-180 seconds. After the user enters their user name and password, a prompt appears for the passcode. After generating the passcode using the mobile authenticator app, the user enters that code as the second verification method.
  • Mobile App Notification: Send a push notification to the OMA app that contains an approval request to allow or deny a login attempt. After the user enters their user name and password, a login request is sent to their phone. The user taps Allow to authenticate.

The OMA app is available for Android, iOS, and Windows operating systems.


During MFA enrollment, a user must enter the key manually or use the enrollment URL when using the OMA app on a Surface Pro or Windows Desktop device. The QR code scanner can't be used due to a camera limitation. When a user enters that key manually, the OMA app supports only BASE32 encoding.

When you enable both the Mobile App Passcode and Mobile App Notification factors and a user is enrolled in Mobile App as a second method of verification, the Mobile App Notification factor is the default that is presented to the user. Users can change which factor they want to use by either selecting a different backup verification method when logging in or by selecting a different method as their default option. Oracle Identity Cloud Service users can use the OMA app or any supported third-party authenticator app that they want to generate OTPs. However, users must use the OMA app to receive push notifications.

Oracle Identity Cloud Service works with any third-party authenticator app (such as Google Authenticator) that adheres to the TOTP: Time-Based One-Time Password Algorithm specification. There are no special administrator configuration steps for third-party authenticator apps. When a user enrolls in MFA and selects Mobile App as the method, the user can either select the Enter Key Manually or Scan offline QR code options to set up third-party authenticators. We recommend the use of the OMA app as it supports notifications and security features such as app protection policy, compliance policy, and silent key refresh.