Enable Multifactor Authentication
Multifactor Authentication (MFA) is a method of authentication that requires the use of more than one factor to verify a user’s identity.
With MFA enabled in OCI IAM identity domain, when a user signs in to an application, they are prompted for their user name and password, which is the first factor – something that they know. The user is then required to provide a second type of verification. This is called 2-Step Verification. The two factors work together to add an additional layer of security by using either additional information or a second device to verify the user’s identity and complete the login process.
Users are increasingly connected, accessing their accounts and applications from anywhere. As an administrator, when you add MFA on top of the traditional user name and password, that helps you to protect access to data and applications. This also reduces the likelihood of online identity theft and fraud, which secures your business applications even if an account password is compromised.
With the identity service upgrade to the Oracle Cloud Infrastructure (OCI) Identity and Access Management (IAM) identity domain, you can enable MFA for signing in to Oracle Fusion Cloud Applications. Oracle Fusion Cloud Applications leverages the MFA functionality available within the OCI IAM identity domain and supports six different factors. Security administrators can choose among these six factors and make them available for users to set up MFA. Users can set up MFA with the provisioned factors when they sign-in. MFA is supported only in non-federated single sign-on (SSO) environments. Here are the six factors:
- One-Time PIN over Email
- One-Time PIN over SMS
- Passcode on Oracle Mobile Authenticator
- Push-based notification from Oracle Mobile Authenticator
- FIDO Passkey Authenticator
- Bypass code
For the One-Time PIN over SMS factor, the work mobile is used as the phone number for authentication. User details such as phone number (work mobile) and email (work email) are stored in the product-specific user settings in Oracle Fusion Cloud Applications, and not on the OCI IAM identity domain.
After the identity upgrade, you can run the Send Personal Data for Multiple Users to LDAP Process to copy the phone number (work mobile) of all existing users to the OCI IAM identity domain. To manage the MFA settings in Security Console, you must be assigned a custom role based on the IT Security Manager role.
Determine the Authentication Factors Available to Users
- On the User Categories page of Security Console, select the user category that's associated with the target users.
- Click Two-Factor Authentication.
- Click Edit.
- Select all the authentication options that you want for your
users
One-Time PIN over Email, One-Time PIN over SMS, and Passcode on Oracle Mobile Authenticator are selected by default, but you can modify if required.
After you enable MFA, when users of that user category sign in to Oracle Fusion Cloud Applications, they’ll be redirected to the Oracle Cloud Console page and prompted to enable secure verification for themselves. See Set Up Multifactor Authentication Methods.
Enable Passwordless Authentication
Passwordless authentication lets users sign in without entering their user name and password every time.
The first time the user signs in, they enter their user name and password on the standard sign-in page. The next time, and on future occasions, the user is shown two pages when they sign in. In the first page, the user provides their user name, and then clicks Sign in. OCI IAM identity domain evaluates the authentication factors (such as Email, Mobile App notification, or Mobile App passcode) that are available to use to sign in to Oracle Fusion Cloud Applications. The authentication factors appear in the second sign in page. The user uses one of the authentication factors to access Oracle Fusion Cloud Applications.
Passwordless authentication is sometimes confused with Multifactor Authentication (MFA). Both MFA and passwordless authentication use a wide variety of authentication factors, but MFA is often used as an extra layer of security on top of regular password-based authentication. Whereas passwordless authentication doesn't require a memorized secret and usually uses just one secure factor to authenticate identity, making it faster and simpler for users.
If you later choose to turn off passwordless authentication, then the user can authenticate to Oracle Fusion Cloud Applications at the sign-in page by providing their credentials (user name and password), or by using a SAML or identity provider.
To define passwordless authentication, you must be assigned the IT Security Manager role.
Prerequisite to Enable Passwordless Authentication
Configure Passwordless Authentication
If passwordless authentication enabled, users can use their phone number or email as the user name on the sign-in page. Once enabled, when signing in for the first time, only the user name is displayed on the sign-in page and there’s no option to enter password. On entering the user name in the sign-in page, users are prompted with the MFA options that were configured by the administrator.
- In the Oracle Cloud console, expand the Navigation Drawer, select Settings, and then click Session Settings.
- In the Session Settings page, select Enable User Name First.
- Click Save.
User Sign-In Experience
- The sign in page has only a username field. There isn't a password field.
- The user enters their user name, and they select Sign In.
- A second page appears where they enter the verification required by the authentication factor you have chosen, for example a passcode in an email.
- If there is more than one passwordless authentication factor, the user can select Show alternative login methods to choose a different one.