Best Practices from Oracle Development's A‑Team

Multi-Factor Authentication with Oracle Identity Cloud Services


Oracle Identity Cloud Service (IDCS) has just released version 17.2.2 in May/2017 and with it a cool new feature: Multi-Factor Authentication, or in short, MFA.

MFA is a method of authentication that requires the user to present more than one piece of evidence - or factors: one-time pass codes, SMS, security questions, etc - to an authentication mechanism before being granted access.

As users becomes more connected, accessing their accounts from anywhere and from different devices, and given that the majority of security breaches occurs from compromised credentials, implementing MFA helps increase the security of critical systems.

Multi-factor authentication strength is based on the idea that an unauthorized user will probably be unable to provide all the required factors to authenticate; if one of the authentication components is missing the system would not be able to establish the user identity and authentication would fail.

You can read more about MFA and its factors and other security options here.

The second part of this blog post can be found here.

MFA Factors

In May's 2017 release (17.2.2), MFA supports five factors:

  • Security Questions: prompts the user to answer security questions to verify their identity. After the user enters their username and password, he must provide answers to a defined number of security questions.
  • Mobile App One-Time Passwords: User has Oracle Mobile Authenticator (OMA) App installed in his device to generate an One-Time Password (OTP). A new OTP is typically generated every 30 seconds and is valid for 90-180 seconds. After the user enters his username and password he is prompted to enter the OTP generated by the Oracle Mobile Authenticator app.
  • Mobile App Notification: IDCS sends a push notification that contains an approval request to allow or deny a login attempt. After the user provide his username and password, a login request us sent to his phone. The user taps ‘Allow' to authenticate.
  • Text Message (SMS): IDCS sends a passcode as a text message (SMS) to the user phone. This method is useful for users with limited connectivity. After the user enters his username and password, a passcode is sent to their device to use as a second authentication factor.
  • Bypass Code: When enrolling users can generate a bypass code and save for later use. User-generated bypass codes never expire, but can be only used once. Users also have the option to contact an administrator to request a bypass code for access.

In this post we will cover the initial MFA configuration and how to user the Oracle Mobile Authenticator (OMA) to authenticate with One-Time Password (OTP).

Enabling MFA

To enable MFA, an IDCS Administrator has to execute the following steps:


1. In the Identity Cloud Service console, click on the Security tab, and then select MFA from the side navigation bar.

2. Select the users that you want to enable MFA for:

None – Selected by default and indicates that MFA is disabled.

Administrator – Select this option to enable MFA for only administrator roles.

All Users – Select this option to enable MFA for both administrators and end-users.

3. Select whether MFA enrollment is optional or required for your users.

If required, users will have to complete the 2-Step Verification process for their account before they can enroll and login. Users will start the enrollment process after they try to authenticate for the first time after MFA is enabled and they will not be able to skip the enrollment process or access their application until enrollment is complete.

If optional, users will be prompted to enroll in 2-Step Verification after they try to login for the first time after MFA is enabled, but they can skip the process and continue to access their application. Users can enroll later with MFA from the IDCS self-service console in the 2-Step Verification tab.

TIP: Make sure you select "MFA enrollment for the user is: Optional" at this point, otherwise if you miss any details in the following steps you might be locked out of your Cloud Service. After you make sure MFA is working as expected with your chosen factors, you can go back and change it to "required" if that is the case.

4. Select the factors that you want to enable for your users. In this post we will show the "Mobile App OTP" factor, so make sure it is selected.

Leave the other options with default values and click "Save".

Configuring the Authentication Factors

To configure the authentication factors click on the Security tab, and then Factors from the side navigation bar.

Select the factor you want to configure.

In this post we’re will only cover in detail the Mobile Authenticator One-Time Password factor.

You can read more about Authentication Factors here.

In the Mobile App Settings page, the administrator can configure various security constraints for the Mobile Authenticator that will provide One-Time Passwords or Notification factors for authentication.



Since we're using the One-Time Passcode (OTP) Policy, below are the parameters we need to set:

  • Password Length: Sets the length of passcode generated by the authenticator app. Between 4 and 10 digits.
  • Hashing Algorithm: The algorithm used to generate the passcode. SHA-2* or SHA-3* family of algorithms are recommended.
  • New OTP Generation: The number of seconds before a new OTP is generated by the authenticator.
  • Secret Key Refreshed: The number of days the shared key is refreshed (the key the authenticator uses to generate the OTP passcode).

There are other settings that govern the Mobile App protection and compliance policy but for now, the standards will suffice for our demonstration.

Make your choices based on the picture above and click Save.

Install Oracle Mobile Authenticator

You can use the Oracle Mobile Authenticator app to securely generate One-Time Passwords, enforce device compliance checks (jailbreak detection/PIN protection), and receive push notifications.

The OMA app is available for Android, iOS, and Windows operating systems.

The OMA app is a soft token that is installed on mobile devices. When a user scans the Quick Response (QR) code or uses the enrollment URL during MFA enrollment, the OMA app is automatically configured with the Oracle Identity Cloud Service server.

The App retrieves a secret key, which is required to generate the OTP and to receive push notifications from the IDCS server.

That secret key is then shared between the client and the Identity Cloud Service server.

Go to your mobile device application store and search for "Oracle Mobile Authenticator".

Install the app and open it when installation is complete.













TIP: Make sure you've installed the Oracle Mobile Authenticator Version 4.0 or above as this is the version that supports MFA with IDCS.

Before you can use the app to generate One-Time Passcodes, you will need to register an account with the Mobile Authenticator.

The fastest way is to just scan the QR barcode when prompted to enroll in the 2-Step Verification process, after you login in to your  Oracle Cloud Service.

Go to you Oracle Cloud service “my console” URL, something like: https://your_host/ui/v1/myconsole to start the enrollment process.

After providing your credentials, you should see the 2-Step Verification enrollment screen.



Click on “Enable" button on the "Enable 2-Step Verification" screen, open the Mobile Authenticator App in your phone and you should see the following screen.







Choose “Add Account” option and scan the barcode from your "Oracle Cloud Service 2-Step Verification enrollment" screen.







After a few seconds you should see the browser page being refreshed to show that you enrollment is complete.


Authenticating with Mobile Authenticator OTP

In the next attempt to log in, users will be prompted to provide the Mobile Authenticator One-Time Passcode.



Open the Oracle Mobile Authenticator, obtain the One-Time Passcode and use it to authenticate as their second authentication factor with IDCS.








Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha