These days, passwords online are not strong enough by themselves to protect applications. Scandals about password breaches seem to happen on a regular basis. This is where Multi Factor Authentication (MFA) greatly reduces the risks associated with protecting information online. Multi Factor Authentication combines something you know (e.g. your password) with something you have (e.g. your smartphone). MFA can be used with SMS or a Mobile App on an iPhone, an Andriod phone or a Windows Phone. Using MFA on a smartphone significantly reduces the costs associated with older and more traditional MFA technologies like physical tokens because of the cost of delivery and administrative overheads.
Oracle Identity Cloud Service allows you to deliver Multi Factor Authentication quickly and easily. In this article I’ll walk through the steps necessary to enable Multi Factor Authentication using Oracle Identity Cloud Service(IDCS). Once MFA is enabled you’ll be able to use MFA with any application protected by your instance of Oracle IDCS. In my example, I’ll use the Oracle Mobile Authenticator App on an iPhone to protect applications as well as the User Self Service Console in IDCS.
Firstly, you’ll need to login to the IDCS administration console and click on the Security tab. The screenshot below shows what it looks like.
I have configured MFA for all users, however it can be restricted just to IDCS administrators or not enabled at all. In this example, I have set MFA enrolment as optional, which means users can decide to use Multi Factor Authentication at the time they activate their account. Setting MFA enrolment to required means all applicable users must enrol for MFA.
MFA can be enabled for various factors. In my case I have enabled Security Questions, Mobile Application One Time Pin, Mobile Application Notification (aka Push Notification), Text message (SMS) and Bypass Code.
Bypass Code is interesting because it addresses the situation where a user doesn’t have access to their smartphone (whether it’s lost, broken, out of battery etc). The bypass code is a one time long PIN that can be used to login when the other factors aren’t available.
We can also enable trusted computers which means that once we have successfully authenticated with MFA, Oracle Identity Cloud Service will trust that computer for the specified number of days. During this time, the user won’t be prompted for MFA again.
Finally, we can set the maximum number of MFA attempts before IDCS will lock the account.
Once we have configured the general settings for MFA, we now need to configure the specific settings for the Mobile App.
Click on the Mobile App side tab to see the settings. The screenshot below shows the setting I have defined for the Mobile App.
This tab shows some pretty powerful capabilities like biometrics and phone security. In the first section of this screen you define policies about the One Time Pin like PIN length, the hashing algorithm used to secure the PIN and how often the PIN and shared key is refreshed.
The next section allows you to define policies about how the App is protected. You can protect the App on the smartphone with a PIN or with fingerprint. In my case, I have set it to fingerprint. If the user’s phone doesn’t support fingerprints then the App will fallback to PIN.
The final section on this screen covers compliance policies relating to the device. I can configure the App on the phone to ensure that all patches are up to date for the App as well as the OS on the smartphone. I can also prevent users from using the App on phones that have been rooted or don’t have screen locks. This greatly improves the security of the MFA application and if the MFA device should be trusted.
That’s it! Multi Factor Authentication is enabled for applications protected by IDCS.
Ok, that hasn’t really shown MFA in action. So let’s add a basic user to IDCS and try MFA on an application.
Logout from IDCS after adding the user.
Now, from your iPhone just search for “Oracle Mobile Authenticator” in the App Store and download it.
Check your email for the New User notification and click on the button to Activate Your Account. You should perform this step from a computer because the activation process will display a QR Code which the Oracle Mobile Authenticator app can scan using the phone’s camera. This is an extremely easy way to register your phone for MFA, it’s just “point and shoot” registration.
When you click on the Activate button you’ll be redirected to IDCS to set up a password for your user account. The password must comply with the password policies listed next to the password prompt. When the password is successfully submitted, you’ll be prompted to enable Multi Factor Authentication.
When you select Mobile App as the MFA Method, a QR code will be displayed on the computer screen.
Next, start the app on your smartphone, Allow notifications and click on the + icon to add an account. The Mobile Authenticator App supports QR Codes so you don’t have to manually add the account details. Allow the App to use your camera and point it at the QR Code on the screen. Pointing the camera at the QR code will automatically setup MFA for you.
To try out MFA you can simply login to the Self Service Console as the new user.
Enter your user ID and password and sign in. You will then be prompted for an MFA Passcode challenge from your smart phone which will look like this:
The Passcode appears as a number that changes every 30 seconds on the Mobile Authenticator App. After entering the Passcode and clicking on Verify button you will be redirected to the IDCS Self Service Console or any other application that you have protected with IDCS.
That’s it. You have successfully configured and used Multi Factor Authentication in Oracle Identity Cloud Service using a smart phone.