1. Administering Oracle Advanced Authentication and Oracle Adaptive Risk Management
  2. Administering Oracle Advanced Authentication
  3. Configuring Oracle Advanced Authentication
  4. Configuring Factor Verification

11.10 Configuring Factor Verification

OAA allows you to configure factor verification. Factor verification allows users to verify a factor in the Self-Service Portal after the factor has been added. This allows a user to check the factor is working before it is used in a user challenge. By default, factor verification is disabled.

Topics

The following topics describe how to configure factor verification:

11.10.1 Creating a Verification Integration Agent

To enable factor verification, you must create a verification integration agent.

You can create integration agents either using REST APIs or OAA Administration UI console. For details about creating integration agents using REST APIs, see REST API for Administration in Oracle Advanced Authentication.

To create a verification integration agent:

  1. Login to the OAA Administration console https://<AdminUrl>. You are redirected to the OAM login page as the console is protected by OAM OAuth. Specify your credentials and login.
  2. Under Quick Actions select Create Other Integration Agent.
  3. In the Create Integration Agent window, specify the following:
    1. Name: Enter a name for your integration agent, for example VerificationFlowAgent.

      Note:

      The property oaa.default.spui.pref.runtime.verification.agentId is set to VerificationFlowAgent by default. If you choose to give your agent a different name then you must configure the property to match. See Configuring Properties for Factor Verification.
    2. Description: Add a description for the integration agent.
    3. Integration Agent Type: API is selected by default.
    4. Click Save.

Next steps: Creating an Assurance Level for the Verification Integration Agent.

11.10.2 Creating an Assurance Level for the Verification Integration Agent

Create an assurance level for the verification integration agent.

You can create assurance levels either using REST APIs or OAA Administration UI console. For details about creating integration agents using REST APIs, see REST API for Administration in Oracle Advanced Authentication.

To create an assurance level for the verification integration agent:

  1. In the Integration Agents window, select the verification integration agent for which you need to create the assurance level.
  2. Under the Assurance Levels tab, click Create.
  3. Specify the required details:
    1. Name: Specify the name for this assurance level, for example FactorVerificationAL.

      Note:

      The property oaa.default.spui.pref.runtime.verification.assuranceLevel is set to FactorVerificationAL by default. If you choose to give your assurance level a different name then you must configure the property to match. See Configuring Properties for Factor Verification
    2. Description: Provide the description for the assurance level.
    3. Click Create.
    4. Click the Assurance Level created.
    5. Under Uses select the factors for which you want to configure factor verification.

      Note:

      Factor verification is only supported for Oracle Mobile Authenticator, OMA Push Notification Challenge, Email Challenge, Yubico OTP Challenge, and SMS Challenge.
  4. Click Save.

Next steps: Configuring Properties for Factor Verification.

11.10.3 Configuring Properties for Factor Verification

To enable factor verification you must set configuration properties.

The following table lists the OAA properties that you must configure to enable factor verification.

Table 11-4 Factor Verification Properties

Property Name Description Default Value
oaa.default.spui.pref.runtime.verification.enabled This property determines if factor verification is enabled or disabled. To enable factor verification set this value to true false
oaa.default.spui.pref.runtime.verification.agentId The name of the verification integration agent. If you create a verification agent with a name other than the default VerificationFlowAgent, you must set this property to the name of the agent created. VerificationFlowAgent
oaa.default.spui.pref.runtime.verification.assuranceLevel The name of the assurance level for the verification agent. If you create an assurance level with a name other than the default FactorVerificationAL, you must set this property to the name of the assurance level created. FactorVerificationAL
Use the <PolicyUrl>/policy/config/property/v1 REST API to configure properties.

Note:

In this case remove /oaa-policy from the <PolicyUrl>, for example use https://<host>:<port>/policy/config/property/v1 not https://<host>:<port>/oaa-policy/policy/config/property/v1

For details about finding the PolicyUrl and authenticating, see OAA Admin API.

For details about the Configuration Properties REST Endpoint, see Configuration Properties REST Endpoints.

Next steps: Testing Factor Verification.

11.10.4 Testing Factor Verification

To test factor verification:

  1. Access the Self-Service Portal by launching a browser and accessing https://<SpuiURL>. The user logs in to the console using their username and password set in the OAM OAuth identity store.

    Note:

    For details on finding the <SpuiUrl>, see Printing Deployment Details.
  2. Under Authentication Factors select Add Authentication Factor and select an authentication factor. In this example Email Challenge is selected.
  3. In the Setup Security Code via Email page, enter a Friendly Name and Email address. As factor verification is enabled, two new options are shown: Verify Now and Verify Later.

If you select Verify Now you will be asked to enter the verification code. In this example the verification code will be sent to the email address. Enter the verification code from the email and select Verify and Save. If verification is successful you will be returned to the Authentication Factors screen and the authentication factor will show as Enabled.

If you select Verify Later you will be returned to the Authentication Factors screen. The factor added will show as Unverified.

Note:

If Verify Later is selected, the factor added will not be presented in a user challenge until it is verified.

If Verify Later is selected, the factor is saved as Unverified. It can verified by selecting Verify from the factor drop down menu on the Authentication Factors screen. Once the factor is verified it will show as Enabled.

Note:

Any factors added prior to enabling factor verification will show either Enabled or Disabled and will not need to go through verification.

Important Note for Upgrades

If you are upgrading from a previous release where factor verfication wasn't supported, all previously registered factors for a user will automatically be verified after upgrade. This is true for all previously enabled and disabled factors for a user. Any new factors registered for the user after upgrade, will use factor verification.