Configure Multi-Factor Authentication Using Oracle Identity Cloud Service

Configure Multi-Factor Authentication Using Oracle Identity Cloud Service


People access accounts and applications
anytime from anywhere. By configuring multi-factor authentication, or MFA, in
Oracle Identity Cloud Service you can protect data access and secure your
business applications. MFA is a method of authentication that requires the use of
more than one factor to verify a user’s identity. When a user signs in to an
application, they’re asked for the username and password. With MFA
configured, the user must provide a second method of verification This
process is called 2-Step Verification. The two factors work together to add an
additional layer of security by either using additional information or a second
device to verify the user’s identity and complete the login process. To configure
MFA on the multi-factor authentication settings page, select the factors that
you want to be available for your users. Factors that you don’t select don’t
appear as options for the user during enrollment, login, or on the self-service
console 2-step verification page. You must select at least one factor in order
to create a sign-on rule for MFA. Next we’ll customize the factor configurations
on the individual factor tabs. The mobile OTP and mobile app notification factors
use a mobile device to verify the user’s identity. The mobile app generates a
one-time passcode that the user enters on the login screen or, a notification is
sent to the mobile app on the device for the user to approve the login request.
Use the mobile app settings page to configure protection policy for the
Oracle mobile Authenticator app or OMA app including, how users can access the
OMA app, when to require users to unlock the OMA app, and the OMA app lockout
policy. Use the compliance policy section of the page to choose which operating
system and which versions are allowed to use the OMA app. You can also configure
policy for detecting the use of a rooted device and whether a device must use the
screen lock feature. These settings affect both one-time passcode and push
notifications through the OMA app. The text message factor sends a one-time
passcode as an SMS to the users selected device, that they then enter on the
2-step verification page to verify their identity. Adjust SMS
configurations such as the number of digits that the system should use when
generating the passcode and for how long, in minutes, the passcode is valid. In the
message template section you can edit the wording that is sent in the SMS
message to the user. The email factor sends a one-time passcode in an email to
the users primary email address. The user then enters that passcode on the 2-step
verification page to verify their identity. The configurations for the
one-time passcode sent in an email are similar to the SMS configuration. You can
specify a number of digits that the system should use when generating the
passcode and how long in minutes that passcode is valid. When security
questions are enabled the user is prompted to provide answers to pre
registered security questions to verify their identity before gaining access to
an application. When configuring security questions, you can change the minimum
number of characters required for a user’s answer, and change the number of
security questions that a user is asked. Clear the checkbox for questions that
you don’t want to be available to the user. You can’t edit or delete the
default questions, but you can add custom questions. Select add question, and then
enter the question in the out of security question window. The custom
question will be at the bottom of the question list. The ability to generate a
bypass code is available to the user after they enroll in 2-step verification.
They can generate a bypass code and store it for later use, or request that
an administrator generate it. For example when a user has forgotten their phone,
doesn’t have cell service, or can’t access their computer, at the 2-step
verification page the user can contact the help desk to have an administrator
to generate a bypass code. The user then enters that bypass code to gain access
to the application. To generate a bypass code for a user, access that users
account in Oracle Identity cloud service, select more, and then click generate
bypass code. There are additional settings on the multi-factor
authentication settings page use the enable trusted computer option, to allow
your users to mark their devices as trusted during login. Then, define how
long a device can be trusted and how many devices the user can mark as
trusted. You can also define how many factors a user can
and enroll in, and the maximum number of times that a user can provide incorrect
verification, using an MFA factor, before they are locked out. After configuring
the factors that you wan,t you must define a sign-on policy and rules for
your applications. To create a sign-on policy, access the sign on policies pag,e by
expanding the navigation drawer, click security, and then click sign-on policies.
Click Add. Enter a name for the sign-on policy, such as PCI applications policy,
and then click add rules to create one or more rules within the policy. In the
add rule window insert a name for the rule like, prompt all users for MFA, then
define the conditions you need. For example, selecting the group that the
users belong to, or the IP range from which the application is accessed. In the
actions section of the window select prompt for an additional factor. Specify
if MFA is required or optional, and then define how often you want users to
provide a second authentication factor. After you define the rule, you need to
assign applications to the sign-on policy. Add one or more applications to
the policy. For example, HR application and CRM application. After you create the
policy, save, and then activate it. You have now configured MFA for the HR
application and the CRM application.

Leave a Reply

Your email address will not be published. Required fields are marked *