Oracle Identity Cloud Service (IDCS) has just released version 17.2.2 in May/2017 and with it a cool new feature: Multi-Factor Authentication, or in short, MFA.
MFA is a method of authentication that requires the user to present more than one piece of evidence - or factors: one-time pass codes, SMS, security questions, etc - to an authentication mechanism before being granted access.
As users becomes more connected, accessing their accounts from anywhere and from different devices, and given that the majority of security breaches occurs from compromised credentials, implementing MFA helps increase the security of critical systems.
Multi-factor authentication strength is based on the idea that an unauthorized user will probably be unable to provide all the required factors to authenticate; if one of the authentication components is missing the system would not be able to establish the user identity and authentication would fail.
You can read more about MFA and its factors and other security options here.
The second part of this blog post can be found here.
In May's 2017 release (17.2.2), MFA supports five factors:
In this post we will cover the initial MFA configuration and how to user the Oracle Mobile Authenticator (OMA) to authenticate with One-Time Password (OTP).
To enable MFA, an IDCS Administrator has to execute the following steps:
1. In the Identity Cloud Service console, click on the Security tab, and then select MFA from the side navigation bar.
2. Select the users that you want to enable MFA for:
None – Selected by default and indicates that MFA is disabled.
Administrator – Select this option to enable MFA for only administrator roles.
All Users – Select this option to enable MFA for both administrators and end-users.
3. Select whether MFA enrollment is optional or required for your users.
If required, users will have to complete the 2-Step Verification process for their account before they can enroll and login. Users will start the enrollment process after they try to authenticate for the first time after MFA is enabled and they will not be able to skip the enrollment process or access their application until enrollment is complete.
If optional, users will be prompted to enroll in 2-Step Verification after they try to login for the first time after MFA is enabled, but they can skip the process and continue to access their application. Users can enroll later with MFA from the IDCS self-service console in the 2-Step Verification tab.
TIP: Make sure you select "MFA enrollment for the user is: Optional" at this point, otherwise if you miss any details in the following steps you might be locked out of your Cloud Service. After you make sure MFA is working as expected with your chosen factors, you can go back and change it to "required" if that is the case.
4. Select the factors that you want to enable for your users. In this post we will show the "Mobile App OTP" factor, so make sure it is selected.
Leave the other options with default values and click "Save".
To configure the authentication factors click on the Security tab, and then Factors from the side navigation bar.
Select the factor you want to configure.
In this post we’re will only cover in detail the Mobile Authenticator One-Time Password factor.
You can read more about Authentication Factors here.
In the Mobile App Settings page, the administrator can configure various security constraints for the Mobile Authenticator that will provide One-Time Passwords or Notification factors for authentication.
Since we're using the One-Time Passcode (OTP) Policy, below are the parameters we need to set:
There are other settings that govern the Mobile App protection and compliance policy but for now, the standards will suffice for our demonstration.
Make your choices based on the picture above and click Save.
You can use the Oracle Mobile Authenticator app to securely generate One-Time Passwords, enforce device compliance checks (jailbreak detection/PIN protection), and receive push notifications.
The OMA app is available for Android, iOS, and Windows operating systems.
The OMA app is a soft token that is installed on mobile devices. When a user scans the Quick Response (QR) code or uses the enrollment URL during MFA enrollment, the OMA app is automatically configured with the Oracle Identity Cloud Service server.
The App retrieves a secret key, which is required to generate the OTP and to receive push notifications from the IDCS server.
That secret key is then shared between the client and the Identity Cloud Service server.
Go to your mobile device application store and search for "Oracle Mobile Authenticator".
Install the app and open it when installation is complete.
TIP: Make sure you've installed the Oracle Mobile Authenticator Version 4.0 or above as this is the version that supports MFA with IDCS.
Before you can use the app to generate One-Time Passcodes, you will need to register an account with the Mobile Authenticator.
The fastest way is to just scan the QR barcode when prompted to enroll in the 2-Step Verification process, after you login in to your Oracle Cloud Service.
Go to you Oracle Cloud service “my console” URL, something like: https://your_host/ui/v1/myconsole to start the enrollment process.
After providing your credentials, you should see the 2-Step Verification enrollment screen.
Click on “Enable" button on the "Enable 2-Step Verification" screen, open the Mobile Authenticator App in your phone and you should see the following screen.
Choose “Add Account” option and scan the barcode from your "Oracle Cloud Service 2-Step Verification enrollment" screen.
After a few seconds you should see the browser page being refreshed to show that you enrollment is complete.
In the next attempt to log in, users will be prompted to provide the Mobile Authenticator One-Time Passcode.
Open the Oracle Mobile Authenticator, obtain the One-Time Passcode and use it to authenticate as their second authentication factor with IDCS.