1. Securing Applications
  2. Enable Multifactor Authentication

Enable Multifactor Authentication

Multifactor Authentication (MFA) is a method of authentication that requires the use of more than one factor to verify a user’s identity.

With MFA enabled in OCI IAM identity domain, when a user signs in to an application, they are prompted for their user name and password, which is the first factor – something that they know. The user is then required to provide a second type of verification. This is called 2-Step Verification. The two factors work together to add an additional layer of security by using either additional information or a second device to verify the user’s identity and complete the login process.

Users are increasingly connected, accessing their accounts and applications from anywhere. As an administrator, when you add MFA on top of the traditional user name and password, that helps you to protect access to data and applications. This also reduces the likelihood of online identity theft and fraud, which secures your business applications even if an account password is compromised.

With the identity service upgrade to the Oracle Cloud Infrastructure (OCI) Identity and Access Management (IAM) identity domain, you can enable MFA for signing in to Oracle Fusion Cloud Applications. Oracle Fusion Cloud Applications leverages the MFA functionality available within the OCI IAM identity domain and supports six different factors. Security administrators can choose among these six factors and make them available for users to set up MFA. Users can set up MFA with the provisioned factors when they sign-in. MFA is supported only in non-federated single sign-on (SSO) environments. Here are the six factors:

  • One-Time PIN over Email
  • One-Time PIN over SMS
  • Passcode on Oracle Mobile Authenticator
  • Push-based notification from Oracle Mobile Authenticator
  • FIDO Passkey Authenticator
  • Bypass code

For the One-Time PIN over SMS factor, the work mobile is used as the phone number for authentication. User details such as phone number (work mobile) and email (work email) are stored in the product-specific user settings in Oracle Fusion Cloud Applications, and not on the OCI IAM identity domain.

After the identity upgrade, you can run the Send Personal Data for Multiple Users to LDAP Process to copy the phone number (work mobile) of all existing users to the OCI IAM identity domain. To manage the MFA settings in Security Console, you must be assigned a custom role based on the IT Security Manager role.

Determine the Authentication Factors Available to Users

Security administrators can assess their authentication requirements and decide on the number of factors to be enabled.
  1. On the User Categories page of Security Console, select the user category that's associated with the target users.
  2. Click Two-Factor Authentication.
  3. Click Edit.
  4. Select all the authentication options that you want for your users

    One-Time PIN over Email, One-Time PIN over SMS, and Passcode on Oracle Mobile Authenticator are selected by default, but you can modify if required.

After you enable MFA, when users of that user category sign in to Oracle Fusion Cloud Applications, they’ll be redirected to the Oracle Cloud Console page and prompted to enable secure verification for themselves. See Set Up Multifactor Authentication Methods.