33 Configuring the Oracle Mobile Authenticator

The Oracle Mobile Authenticator is a mobile device app that uses Time-based One Time Password (TOTP) and push notifications to authenticate users with a two-factor authentication scheme. The Oracle Mobile Authenticator mobile device app must be configured to retrieve the secret key required to generate a One Time Password (OTP).

The following sections contain configuration details when using the Oracle Mobile Authenticator app on an iOS, Android, or Windows mobile device.

33.1 Understanding Oracle Mobile Authenticator Configuration

The Oracle Mobile Authenticator (OMA) app can retrieve a secret key required to generate a OTP or register with Access Manager to receive push notifications.

Provisioning the secret key can be done online or offline however registering for push notifications can only be done while online.

Note:

For details on the secret key, see Generating a Secret Key for the Oracle Mobile Authenticator.

  • Online Configuration uses the REST web services and the Mobile OAuth Services described in Generating a Secret Key for the Oracle Mobile Authenticator and Configuring Oauth Services to enable the Secret Key API. Once enabled, the OMA app can invoke this service to get a secret key or register for push notifications. To invoke the REST web services, OMA needs to know its location URL. In this case, the Oracle Access Management administrator creates a web page to configure the OMA. When the user taps on the web page's link (provided via e-mail), it launches the OMA, passes the location URL to the app and the REST web services location is configured. The format of the location URL is as follows.

    oraclemobileauthenticator://settings?ServiceName::=<name_of_service>
    &ServiceType::=SharedSecret/Notification/Both&
    SharedSecretAuthServerType::=HTTPBasicAuthentication/OAuthAuthentication 
    &LoginURL::=http://<host>:<port>/secretKeyURL
    &NotificationAuthServerType::= HTTPBasicAuthentication
    &PushPreferencesEndpoint::=http://<host>:<port>/preferencesURL
    &ChallengeAnswerEndpoint::=http://<host>:<port>/challengeAnswerURL
    &SenderID::=<senderID>
    &OAuthClientID::=<clientID>
    &OAMOAuthServiceEndpoint::=http://<host>:<port>/oauthserviceURL
    &OAuthScope::=<OAuthScope>
    

    Table 33-1 documents definitions for the location URL parameters.

    Table 33-1 Location URL Parameter Definitions

    Parameter Definition

    ServiceName

    Name of the service. This name should be unique in OMA. If another configuration with same name is sent then it will prompt the user to overwrite the previous one

    ServiceType

    The type of service provided by this configuration i.e. one-time password, notification or a hybrid service which combines both one-time password and notification. Value can be SharedSecret, Notification or Both.

    SharedSecretAuthServerType

    The type of authentication by which shared secret provisioning REST endpoint is protected. Value can be HTTPBasicAuthentication or OAuthAuthentication.

    LoginURL

    The REST endpoint that provisions the shared secret for generating one-time passwords. The value specified for the LoginURL query parameter is based on the OAuth settings for Oracle Mobile Authenticator.

    NotificationAuthServerType

    The type of authentication by which notification registration endpoint is protected. Currently only HTTP basic authentication is supported thus the value is HTTPBasicAuthentication.

    PushPreferencesEndpoint

    The REST endpoint where push notification preferences should be sent.

    ChallengeAnswerEndpoint

    The REST endpoint where push notification responses should be sent.

    SenderID

    The Android sender ID for sending push notifications. The SenderID is only required on Android; it is not required when using iOS.

    OAuthClientID

    OAuth client ID if SharedSecretAuthServerType is set for OAuth

    OAMOAuthServiceEndpoint

    OAM OAuth service endpoint to get OAuth profiles available on the server.

    OAuthScope

    The OAuth scope required to access the shared secret.

    Note:

    Oracle recommends using online configuration.

  • Offline Configuration supports use cases in which the mobile device can not connect to the REST end point or the parameters needed to generate the OTP are different than the defaults. The Access Manager administrator sets up a web application which allows the user to generate or recreate a secret key. The user logs into this web application and, after authentication, the user is allowed to view the secret key and enter it in the OMA app manually. The secret key can also be delivered via an offline configuration URL so the administrator has the option of changing the OTP generation parameters (time step, hashing algorithm and the like). The format of the offline configuration URL is:

    oraclemobileauthenticator://settings?SharedSecretValue::=<secret_key>
    &AccountName::=<username>&SharedSecretEncoding::=Base32/Base64String
    &OTPAlgorithm::=TOTP
    &HashingAlgorithm::=MD5/SHA-1/SHA-224/SHA-256/SHA-384/SHA-512
    &OTPLength::=<lenght_of_OTP>&TimeStep::=<time_in_seconds>
    

    Table 33-2 contains details regarding the parameters.

    Table 33-2 Offline Configuration URL Parameters

    Parameter Description

    SharedSecretValue

    Mandatory value is the secret key

    AcountName

    Prompts the user for input if omitted

    SharedSecretEncoding

    Default is Base32

    OTPAlgorithm

    Default is TOTP

    Hashing Algorithm

    Default is SHA-1

    OTPLength

    Default is 6

    TimeStep

    Default is 30 sec

33.2 Using the Oracle Mobile Authenticator App

The Oracle Mobile Authenticator (OMA) app is a mobile device app that you can use as a second verification method by tapping Allow on the login request notification sent to your phone or by using the one-time passocde (OTP) that the app generates.

A mobile app uses either OTP or push notifications to prove that the user has possession of the mobile device. Only the mobile app that is in possession of the user's secret key can generate a valid OTP. You can download the Oracle Mobile Authenticator app from the app store.

OMA App Version Mobile Platform Version
Version 4.0 iOS 7.1+
Version 8.0 Android 4.1+
Version 1.0 Windows 8.1+

33.2.1 Adding an Account to the OMA App by Scanning the QR Code

After you install the Oracle Mobile Authenticator (OMA) app, you can link the App to an account by scanning the Quick Response (QR) code.

In the case of offline configuration, it is assumed that the customer develops a web application and a user is authenticated by said application. The OMA scans the QR code which must have the shared secret, shared secret encoding information and optionally the OTP validity duration, the hashing algorithm to be used for TOTP or the length of the OTP (5 digits/6 digits).

The QR code needs to be created from any of the following configuration URLs:

  • oraclemobileauthenticator://settings?LoginURL::=http://OAMhost:port/oauth2/rest/resources/secretkey

  • oraclemobileauthenticator://settings?AuthServerType::=HTTPBasicAuthentication&&LoginURL::=http://OAMhost:port/oauth2/rest/resources/secretkey&&ServiceName::=MyBank

See Understanding Oracle Mobile Authenticator Configuration

Create the QR code manually using the configuration URLs you have received from your Administrator to proceed with account creation process. Also, you can receive the QR code directly from your Administrator and add an account just by scanning that QR code from the Add Account page.

To add an account to the OMA app:
  1. Open the OMA app on your phone, and then tap Add Account.

    Note:

    The OMA app may prompt you to enter the user name and password.
  2. Click Scan QR code to add account.
  3. Scan the QR code.
    The account is added to the OMA App.

33.2.2 Adding an Account to the OMA App Using the Configuration URL

After you install the Oracle Mobile Authenticator (OMA) app, you can link the App to an account by tapping the configuration URL.

Note:

You must perform these steps from your mobile device using a supported mobile browser: iOS – Safari, Android and Windows – Any mobile browser.
  1. In your browser, open the configuration URL you have received from your Administrator.
  2. If prompted, click Open to view the page in Authenticator.
    The account is added to the OMA App.

33.2.3 Adding an Account to the OMA App by Entering the Key Manually

After you install the Oracle Mobile Authenticator (OMA) app on your device, you can link the App to an account by entering the key manually.

  1. Open the OMA app on your phone, and then tap Add Account.
  2. Tap Enter Key Manually.
  3. On the Add Account page, fill in appropriate information and enter the key.
  4. Tap Save.
    The account is added to the OMA App.

33.2.4 Using the Oracle Mobile Authenticator App as an Authentication Method

After you enroll the Oracle Mobile Authenticator (OMA) app as a 2–Step Verification method, use it to provide a second method of verification to securely log in to applications.

  1. Enter your user name and password in an Adaptive Authentication Service-protected environment.
  2. Which authentication method that appears depends on the method that your Administrator has enabled:
    1. Mobile App OTP

      Note:

      Ensure that your device clock is synchronized.
      • You are prompted to enter the OTP that is generated by the OMA app on your mobile device.

      • Tap the OMA app on your device to launch it.

      • Tap the account for which you want to generate a new OTP. An OTP for the account appears, and the countdown begins until a new OTP is automatically generated.

      • Enter or paste that OTP into the OTP box, and then click Verify.

    2. Mobile App Notification
      • You are prompted to open and respond to the notification that was sent to the OMA app on your mobile device.

      • Open the notification in the OMA app, and then tap Allow.

      Note:

      Windows does not support notifications. You cannot enable or disable notifications if you are using a Windows phone.

33.3 Managing the Oracle Mobile Authenticator App

The Oracle Mobile Authenticator (OMA) app makes it easy for you to customize how you view your accounts, manage your PIN, and manage notifications.

33.3.1 Switching Between Grid View and List View

You can change how you view your list of accounts in the Oracle Mobile Authenticator (OMA) app.

  1. Launch the OMA app, and then tap the menu icon in the upper-left corner.
  2. Tap Grid View or List View to toggle between the two views.

    Note:

    For Windows phones, in the lower-right corner, tap the grid or list icon to toggle between the two views.

33.3.2 Editing Accounts in the OMA App

You can edit your accounts in the Oracle Mobile Authenticator (OMA) app.

iOS

  1. While in List View, swipe left on the account tile that you want to edit. While in Grid View, swipe down.

  2. Tap Edit. The Edit Account screen appears.

    Note:

    To edit an account when using VoiceOver mode, you must be in Grid View. The Edit option is not available in List View when using VoiceOver mode.
  3. Make your changes, and then tap SAVE.

Android

  1. While in List View, long tap the account that you want to edit. While in Grid View, tap the account, and then long tap it when it appears in detail view.

  2. Tap the pencil icon that appears in the upper-right corner. The Edit Account screen appears.

  3. Make your changes, and then tap SAVE.

Windows

  1. Tap and hold the account tile that you want to edit. A menu appears.

  2. Tap Edit. The Edit Account screen appears.

  3. Make your changes, and then tap Save.

33.3.3 Reordering Accounts in the OMA App

You can change the order in which you view accounts in the Oracle Mobile Authenticator (OMA) app.

iOS

  • While in List View, long tap the account to enter editing mode, and then hold the reorder icon on the right to drag. Tap Done when you finish.

  • While in Grid View, long tap the account tile, and then drag (supported in iOS9 and above).

Android

  • Tap and hold the account tile, and then drag it.

Windows

  • While in List View, long tap the account tile. From the menu that appears, tap Reorder, and then drag.

  • While in Grid View, long tap the account tile, and then drag.

33.3.4 Deleting an Account in the OMA App

You can delete accounts in the Oracle Mobile Authenticator (OMA) app.

iOS

  1. While in List View, swipe left on the account tile that you want to delete. While in Grid View, swipe down.

  2. Tap Delete. A Delete Account confirmation window appears.

    Note:

    To delete an account when using VoiceOver mode, you must be in Grid View. The Delete option is not available in List View when using VoiceOver mode.
  3. Tap Delete Account.

Android

  1. Tap and hold the account tile that you want to delete.

  2. Tap the trash can icon that appears in the upper-right corner.

  3. In the Delete Account window, tap Delete Account.

Windows

  1. Tap and hold the account tile that you want to delete. A menu appears.

  2. Tap Delete. A Delete Account confirmation window appears.

  3. Tap Delete Account.

33.3.5 Enabling App Protection

Add an additional level of security to the Oracle Mobile Authenticator (OMA) app by using an app PIN or by using biometrics such as Touch ID or Fingerprint to protect the app.

App PIN protection requires a PIN to unlock the OMA app before you can generate a one-time passcode (OTP) or approve a notification. Biometric protection requires Touch ID or Fingerprint verification to unlock the App before you can generate an OTP or approve a notification.

Note:

The OMA app does not support biometrics using a Windows device.

Touch ID with the OMA App is only supported with iOS version 8 and higher.

  1. To enable an app PIN:

    Note:

    Your application may require you to set up a PIN when you enroll.
    1. Launch the OMA app, and then tap the menu icon in the upper-left corner.
    2. Tap App Protection.
    3. Slide to enable PIN or Touch ID protection for the OMA app.
    4. Enter your PIN at the prompt, enter it again to verify, and then tap Done.
  2. To enable Biometrics:

    Note:

    When you initially enable Touch ID or Fingerprint, you are prompted to set your PIN if you have not. If you have set your PIN, you are prompted to enter your PIN first before enabling Touch ID or Fingerprint.
    1. Enter your PIN at the prompt.
    2. Enter your PIN again to verify, and then tap OK.
    The next time that you open the App, you are prompted to use your fingerprint to gain access to the OMA app.

33.3.6 Changing Your OMA App PIN

Change your PIN in the Oracle Mobile Authenticator (OMA) app.

  1. Launch the OMA app, and then tap the menu icon in the upper-left corner.
  2. Tap App Protection, and then tap Change PIN.
  3. Enter the current PIN, the new PIN, confirm the new PIN, and then tap Done.

33.3.7 Disabling OMA App PIN Protection

You can disable PIN protection for the Oracle Mobile Authenticator (OMA) app.

Note:

Your application may not allow you to disable PIN protection.
  1. Launch the OMA app, and then tap the menu icon in the upper-left corner.
  2. Tap App Protection, and then slide to disable PIN protection for the OMA app.
  3. Enter your PIN, and then tap Done.

33.3.8 Managing Notification History in the OMA App

You can access and view details about your notification history in the Oracle Mobile Authenticator (OMA) app.

  1. Launch the OMA app, and then tap the menu icon in the upper-left corner.
  2. Tap Notifications. The Notification History page displays all notifications for the account.

    Note:

    For the iOS platform, pending notifications that are currently in the Notification center of your device do not appear in the OMA app when you manually launch the OMA app.
  3. Tap a notification to view login request details.

33.4 Configuring the Google Authenticator App

The Google Authenticator app only supports manual configuration.

To initiate configuration in the Google Authenticator app, the user creates an account for two-factor authentication using the app. After account creation, the user manually enters the secret key received from the resource owner. (For details on the secret key, see Generating a Secret Key for the Oracle Mobile Authenticator.) Additionally, ensure that TOTP is enabled at the bottom of the Google Authenticator screen. Google Authenticator generates the OTP code in an offline, disconnected mode; it does not interact with Access Manager.