Enable Multifactor Authentication

Multifactor Authentication (MFA) is a method of authentication that requires the use of more than one factor to verify a user’s identity.

With MFA enabled in Oracle Fusion Applications, when a user signs in to an application, they are prompted for their user name and password, which is the first factor – something that they know. The user is then required to provide a second type of verification. This is called 2-Step Verification. The two factors work together to add an additional layer of security by using either additional information or a second device to verify the user’s identity and complete the login process.

Users are increasingly connected, accessing their accounts and applications from anywhere. As an administrator, when you add MFA on top of the traditional user name and password, that helps you to protect access to data and applications. This also reduces the likelihood of online identity theft and fraud, which secures your business applications even if an account password is compromised.

With the identity service upgrade to the OCI Identity and Access Management identity domain, you can enable MFA for signing in to Oracle Fusion Cloud Applications. Oracle Fusion Cloud Applications leverages the MFA functionality available within the OCI Identity and Access Management identity domain and supports six different factors. Security administrators can choose among these six factors and make them available for users to set up MFA. Users can enroll MFA with the provisioned factors when they sign-in. MFA enforcement applies to users who sign-in to an environment with user name and password. Users who sing-in using SSO won't be prompted to enroll for MFA. Here are the six factors:

• Email - Sends a one-time passcode in an email to the user's primary email address after the user selects Email as the second authentication method.
• SMS - Sends a passcode as a text message (SMS) or as a phone call to the user's mobile phone after the user enters their username and password and select Mobile as the second authentication method.
• Oracle Mobile Authenticator Passcode - Uses the passcode generated in the Oracle Mobile Authenticator (OMA) application after the user enters their username and password and selects Passcode on OMA as the second authentication method.
• Oracle Mobile Authenticator Notification - Sends a push notification that contains an approval request to allow or deny a login attempt after the user enters their username and password and selects Push-based notification as the second authentication method. Select Allow in the mobile phone notification to authenticate.
• Fast ID Online (FIDO) Passkey Authenticator - Uses the FIDO authentication device, for example an external authentication device such as a YubiKey, or an internal device such as Windows Hello or Mac Touch ID, to authenticate after the user enters their username and password and selects FIDO Passkey Authenticator as the second authentication method.
• Bypass code - Uses a bypass code after signing in to use as an alternative authentication factor or for account recovery when the default method isn't available. For example, if you don't have your phone with you but you do have your bypass code, use the bypass code as an alternative login method to verify your identity.

For more information about configuring the various MFA factors, see Configuring Authentication Factors.

For the SMS factor, the work mobile is used as the phone number for authentication. User details such as phone number (work mobile) and email (work email) are stored in the product-specific user settings in Oracle Fusion Cloud Applications, and not on the OCI Identity and Access Management identity domain.

After the identity upgrade, you can run the Send Personal Data for Multiple Users to LDAP Process to copy the phone number (work mobile) of all existing users to the OCI Identity and Access Management identity domain. To manage the MFA settings in Security Console, you must be assigned a custom role based on the IT Security Manager role.

Enable MFA and Determine the Authentication Factors Available to Users

Security administrators can assess their authentication requirements and decide on the number of factors to be enabled.

1. On the User Categories page of Security Console, select the user category that's associated with the target users.
2. Select Two-Factor Authentication.
3. Select Edit.
4. In the section Enforce MFA During Sign-in, select Requires MFA. After you enable MFA, when users of that user category sign in to Oracle Fusion Cloud Applications, they’ll be redirected to the Oracle Cloud Console page and prompted to enable secure verification for themselves.
5. In the section Two-Factor Authentication, select all the MFA factors that you want your users to enroll for.

For more information about enrolling in the various MFA factors, see Set Up Multifactor Authentication Methods.

How can MFA not be enforced on automation users?

Automation users in non-production environments are required to work without being prompted for MFA. To facilitate this, you can exclude such users from being enforced to enroll for MFA.

1. On the User Account Details view page, click Configure MFA Exclusion in the User Information section.
2. On the Exclude Multifactor Authentication dialog box, click MFA Excluded to disable MFA for the automation user.
3. Click Save and Close.