33 Configuring the Oracle Mobile Authenticator
The following sections contain configuration details when using the Oracle Mobile Authenticator app on an iOS, Android, or Windows mobile device.
33.1 Understanding Oracle Mobile Authenticator Configuration
The Oracle Mobile Authenticator (OMA) app can retrieve a secret key required to generate a OTP or register with Access Manager to receive push notifications.
Provisioning the secret key can be done online or offline however registering for push notifications can only be done while online.
Note:
For details on the secret key, see Generating a Secret Key for the Oracle Mobile Authenticator.
-
Online Configuration uses the REST web services and the Mobile OAuth Services described in Generating a Secret Key for the Oracle Mobile Authenticator and Configuring Oauth Services to enable the Secret Key API. Once enabled, the OMA app can invoke this service to get a secret key or register for push notifications. To invoke the REST web services, OMA needs to know its location URL. In this case, the Oracle Access Management administrator creates a web page to configure the OMA. When the user taps on the web page's link (provided via e-mail), it launches the OMA, passes the location URL to the app and the REST web services location is configured. The format of the location URL is as follows.
oraclemobileauthenticator://settings?ServiceName::=<name_of_service> &ServiceType::=SharedSecret/Notification/Both& SharedSecretAuthServerType::=HTTPBasicAuthentication/OAuthAuthentication &LoginURL::=http://<host>:<port>/secretKeyURL &NotificationAuthServerType::= HTTPBasicAuthentication &PushPreferencesEndpoint::=http://<host>:<port>/preferencesURL &ChallengeAnswerEndpoint::=http://<host>:<port>/challengeAnswerURL &SenderID::=<senderID> &OAuthClientID::=<clientID> &OAMOAuthServiceEndpoint::=http://<host>:<port>/oauthserviceURL &OAuthScope::=<OAuthScope>
Table 33-1 documents definitions for the location URL parameters.
Table 33-1 Location URL Parameter Definitions
Parameter Definition ServiceName
Name of the service. This name should be unique in OMA. If another configuration with same name is sent then it will prompt the user to overwrite the previous one
ServiceType
The type of service provided by this configuration i.e. one-time password, notification or a hybrid service which combines both one-time password and notification. Value can be SharedSecret, Notification or Both.
SharedSecretAuthServerType
The type of authentication by which shared secret provisioning REST endpoint is protected. Value can be HTTPBasicAuthentication or OAuthAuthentication.
LoginURL
The REST endpoint that provisions the shared secret for generating one-time passwords. The value specified for the LoginURL query parameter is based on the OAuth settings for Oracle Mobile Authenticator.
NotificationAuthServerType
The type of authentication by which notification registration endpoint is protected. Currently only HTTP basic authentication is supported thus the value is HTTPBasicAuthentication.
PushPreferencesEndpoint
The REST endpoint where push notification preferences should be sent.
ChallengeAnswerEndpoint
The REST endpoint where push notification responses should be sent.
SenderID
The Android sender ID for sending push notifications. The SenderID is only required on Android; it is not required when using iOS.
OAuthClientID
OAuth client ID if SharedSecretAuthServerType is set for OAuth
OAMOAuthServiceEndpoint
OAM OAuth service endpoint to get OAuth profiles available on the server.
OAuthScope
The OAuth scope required to access the shared secret.
Note:
Oracle recommends using online configuration.
-
Offline Configuration supports use cases in which the mobile device can not connect to the REST end point or the parameters needed to generate the OTP are different than the defaults. The Access Manager administrator sets up a web application which allows the user to generate or recreate a secret key. The user logs into this web application and, after authentication, the user is allowed to view the secret key and enter it in the OMA app manually. The secret key can also be delivered via an offline configuration URL so the administrator has the option of changing the OTP generation parameters (time step, hashing algorithm and the like). The format of the offline configuration URL is:
oraclemobileauthenticator://settings?SharedSecretValue::=<secret_key> &AccountName::=<username>&SharedSecretEncoding::=Base32/Base64String &OTPAlgorithm::=TOTP &HashingAlgorithm::=MD5/SHA-1/SHA-224/SHA-256/SHA-384/SHA-512 &OTPLength::=<lenght_of_OTP>&TimeStep::=<time_in_seconds>
Table 33-2 contains details regarding the parameters.
Table 33-2 Offline Configuration URL Parameters
Parameter Description SharedSecretValue
Mandatory value is the secret key
AcountName
Prompts the user for input if omitted
SharedSecretEncoding
Default is Base32
OTPAlgorithm
Default is TOTP
Hashing Algorithm
Default is SHA-1
OTPLength
Default is 6
TimeStep
Default is 30 sec
33.2 Using the Oracle Mobile Authenticator App
The Oracle Mobile Authenticator (OMA) app is a mobile device app that you can use as a second verification method by tapping Allow on the login request notification sent to your phone or by using the one-time passocde (OTP) that the app generates.
A mobile app uses either OTP or push notifications to prove that the user has possession of the mobile device. Only the mobile app that is in possession of the user's secret key can generate a valid OTP. You can download the Oracle Mobile Authenticator app from the app store.
OMA App Version | Mobile Platform Version |
---|---|
Version 4.0 | iOS 7.1+ |
Version 8.0 | Android 4.1+ |
Version 1.0 | Windows 8.1+ |
33.2.1 Adding an Account to the OMA App by Scanning the QR Code
After you install the Oracle Mobile Authenticator (OMA) app, you can link the App to an account by scanning the Quick Response (QR) code.
In the case of offline configuration, it is assumed that the customer develops a web application and a user is authenticated by said application. The OMA scans the QR code which must have the shared secret, shared secret encoding information and optionally the OTP validity duration, the hashing algorithm to be used for TOTP or the length of the OTP (5 digits/6 digits).
The QR code needs to be created from any of the following configuration URLs:
-
oraclemobileauthenticator://settings?LoginURL::=http://OAMhost:port/oauth2/rest/resources/secretkey
-
oraclemobileauthenticator://settings?AuthServerType::=HTTPBasicAuthentication&&LoginURL::=http://OAMhost:port/oauth2/rest/resources/secretkey&&ServiceName::=MyBank
See Understanding Oracle Mobile Authenticator Configuration
Create the QR code manually using the configuration URLs you have received from your Administrator to proceed with account creation process. Also, you can receive the QR code directly from your Administrator and add an account just by scanning that QR code from the Add Account page.
33.2.2 Adding an Account to the OMA App Using the Configuration URL
After you install the Oracle Mobile Authenticator (OMA) app, you can link the App to an account by tapping the configuration URL.
Note:
You must perform these steps from your mobile device using a supported mobile browser: iOS – Safari, Android and Windows – Any mobile browser.33.2.3 Adding an Account to the OMA App by Entering the Key Manually
After you install the Oracle Mobile Authenticator (OMA) app on your device, you can link the App to an account by entering the key manually.
33.2.4 Using the Oracle Mobile Authenticator App as an Authentication Method
After you enroll the Oracle Mobile Authenticator (OMA) app as a 2–Step Verification method, use it to provide a second method of verification to securely log in to applications.
- Enter your user name and password in an Adaptive Authentication Service-protected environment.
- Which authentication method that appears depends on the method that your Administrator has enabled:
33.3 Managing the Oracle Mobile Authenticator App
The Oracle Mobile Authenticator (OMA) app makes it easy for you to customize how you view your accounts, manage your PIN, and manage notifications.
33.3.1 Switching Between Grid View and List View
You can change how you view your list of accounts in the Oracle Mobile Authenticator (OMA) app.
33.3.2 Editing Accounts in the OMA App
You can edit your accounts in the Oracle Mobile Authenticator (OMA) app.
iOS
-
While in List View, swipe left on the account tile that you want to edit. While in Grid View, swipe down.
-
Tap Edit. The Edit Account screen appears.
Note:
To edit an account when using VoiceOver mode, you must be in Grid View. The Edit option is not available in List View when using VoiceOver mode. -
Make your changes, and then tap SAVE.
Android
-
While in List View, long tap the account that you want to edit. While in Grid View, tap the account, and then long tap it when it appears in detail view.
-
Tap the pencil icon that appears in the upper-right corner. The Edit Account screen appears.
-
Make your changes, and then tap SAVE.
Windows
-
Tap and hold the account tile that you want to edit. A menu appears.
-
Tap Edit. The Edit Account screen appears.
-
Make your changes, and then tap Save.
33.3.3 Reordering Accounts in the OMA App
You can change the order in which you view accounts in the Oracle Mobile Authenticator (OMA) app.
iOS
-
While in List View, long tap the account to enter editing mode, and then hold the reorder icon on the right to drag. Tap Done when you finish.
-
While in Grid View, long tap the account tile, and then drag (supported in iOS9 and above).
Android
-
Tap and hold the account tile, and then drag it.
Windows
-
While in List View, long tap the account tile. From the menu that appears, tap Reorder, and then drag.
-
While in Grid View, long tap the account tile, and then drag.
33.3.4 Deleting an Account in the OMA App
You can delete accounts in the Oracle Mobile Authenticator (OMA) app.
iOS
-
While in List View, swipe left on the account tile that you want to delete. While in Grid View, swipe down.
-
Tap Delete. A Delete Account confirmation window appears.
Note:
To delete an account when using VoiceOver mode, you must be in Grid View. The Delete option is not available in List View when using VoiceOver mode. -
Tap Delete Account.
Android
-
Tap and hold the account tile that you want to delete.
-
Tap the trash can icon that appears in the upper-right corner.
-
In the Delete Account window, tap Delete Account.
Windows
-
Tap and hold the account tile that you want to delete. A menu appears.
-
Tap Delete. A Delete Account confirmation window appears.
-
Tap Delete Account.
33.3.5 Enabling App Protection
Add an additional level of security to the Oracle Mobile Authenticator (OMA) app by using an app PIN or by using biometrics such as Touch ID or Fingerprint to protect the app.
App PIN protection requires a PIN to unlock the OMA app before you can generate a one-time passcode (OTP) or approve a notification. Biometric protection requires Touch ID or Fingerprint verification to unlock the App before you can generate an OTP or approve a notification.
Note:
The OMA app does not support biometrics using a Windows device.Touch ID with the OMA App is only supported with iOS version 8 and higher.
33.3.6 Changing Your OMA App PIN
Change your PIN in the Oracle Mobile Authenticator (OMA) app.
- Launch the OMA app, and then tap the menu icon in the upper-left corner.
- Tap App Protection, and then tap Change PIN.
- Enter the current PIN, the new PIN, confirm the new PIN, and then tap Done.
33.3.7 Disabling OMA App PIN Protection
You can disable PIN protection for the Oracle Mobile Authenticator (OMA) app.
Note:
Your application may not allow you to disable PIN protection.- Launch the OMA app, and then tap the menu icon in the upper-left corner.
- Tap App Protection, and then slide to disable PIN protection for the OMA app.
- Enter your PIN, and then tap Done.
33.4 Configuring the Google Authenticator App
The Google Authenticator app only supports manual configuration.
To initiate configuration in the Google Authenticator app, the user creates an account for two-factor authentication using the app. After account creation, the user manually enters the secret key received from the resource owner. (For details on the secret key, see Generating a Secret Key for the Oracle Mobile Authenticator.) Additionally, ensure that TOTP is enabled at the bottom of the Google Authenticator screen. Google Authenticator generates the OTP code in an offline, disconnected mode; it does not interact with Access Manager.