Exploring Oracle Mobile Authenticator and Its Applications

by Samanvitha Kumar and Narayana Khadri

Published November 2017

This article explores the features of Oracle Mobile Authenticator and how it is harnessed to provide Multi-Factor Authentication (MFA) capability in identity and access management products.

Table of Contents

 

Overview of Oracle Mobile Authenticator

Oracle Mobile Authenticator is an application from Oracle that was first released in 2014 as part of Oracle Access Management Suite. Given that digital security is an area that organizations cannot ignore, authenticating users using two-factor authentication before granting access to sensitive data is extremely important.

Oracle Mobile Authenticator enables you to securely verify identity using a mobile phone or tablet as an authentication factor. Oracle Mobile Authenticator generates a one-time passcode (OTP) for login and can receive push notifications for login, which can be approved with a simple tap. When this authentication is used in addition to a username and password, it adds an additional layer of security that is essential for today's online applications.

Oracle Mobile Authenticator works on all three mobile platforms and supports iOS 7.1+, Android 4.1+, and Windows 8.1+ operating system versions.

Figure 1 shows the Oracle Mobile Authenticator launch screen.

Overview of Multi-Factor Authentication

Wikipedia explains Multi-Factor Authentication (MFA) as "a method of computer access control in which a user is granted access only after successfully presenting several separate pieces of evidence to an authentication mechanism—typically at least two of the following categories: knowledge (something they know [for example, a password]), possession (something they have [for example, phone or a trusted device]), and inherence (something they are [for example, biometric information])."

The use of a debit card (something a user has) and a PIN (something a user knows) to withdraw money from an ATM is one of the most common applications of MFA.

Figure 2: MFA at a glance

Whenever MFA is enabled, the traditional username and password are usually the first factor. Additional security is enforced using one or more of the following methods:

  • One-time password (OTP): An OTP is a password that is valid for only one login session or transaction on a computer system or other digital device for a short period (typically between 30 and 60 seconds). After procuring an OTP, users must type it into the application they are trying to access to authenticate themselves. Sometimes, hardware tokens can also be used to generate these passwords, and users would enter them manually.
  • SMS passcodes: This involves getting a temporary, unique passcode via a text message sent to a registered phone number. The passcode has to be entered manually to access an application.
  • Push notification: This involves sending a notification to a mobile device with details about the transaction initiated. A user can simply tap Approve to proceed with the login process.
  • Security questions: The user is typically challenged to answer a set of pre-enrolled questions. On providing the right answer, the user is redirected to the protected application.
  • Bypass codes: These are unique, OTPs that expire after a specific amount of time (typically in days). A user can pregenerate and save a bypass code or get one from an application administrator to gain access to a secure application.

MFA Using Oracle Mobile Authenticator

Oracle Mobile Authenticator can be integrated with Oracle Identity Cloud Service and Oracle Access Manager to secure their applications using MFA. It can also work in the standalone mode to generate time-based one-time passwords (TOTPs) to authenticate for applications that adhere to RFC 6238 to control access. The following sections will throw light on how Oracle Mobile Authenticator can be leveraged in the Oracle Identity Cloud Service and Oracle Access Manager landscapes to securely access critical applications.

TOTP Authentication with Oracle Mobile Authenticator

A TOTP algorithm is an algorithm that computes a one-time password from a shared secret key and the current time. As defined in RFC 6238, TOTP is an extension of the OTP algorithm, namely the Hashed Message Authentication Code (HMAC)–based one-time password (HOTP) algorithm, to support a time-based moving factor.

As defined in RFC 4226, the HOTP algorithm is based on the HMAC-SHA-1 algorithm and applied to an increasing counter value representing the message in the HMAC computation.

Basically, the output of the HMAC-SHA-1 calculation is truncated to obtain user-friendly values:

   HOTP(K,C) = Truncate(HMAC-SHA-1(K,C))

where Truncate represents the function that can convert an HMAC-SHA-1 value into an HOTP value. K and C represent the shared secret and counter value, respectively.

TOTP is the time-based variant of this algorithm, where a value T, derived from a time reference and a time step, replaces the counter value C in the HOTP computation.

Configuring TOTP Parameters

Per RFC 6238, the default cryptographic hash method used is SHA-1 and the default password length is six. Also, any generated TOTP is valid for 30 seconds by default. In general, TOTP generators adhere to these defaults and accept the shared secret to generate a TOTP for a given account. However, in the case of Oracle Identity Cloud Service, which works in tandem with Oracle Mobile Authenticator, the administrator has the provision to tweak the parameters such as the OTP length, the hash algorithm, and the validity duration for better security.

Please refer to the section "One-Time Passcode Settings" to see how these parameters can be configured in Oracle Identity Cloud Service.

Accessing an Application Using TOTP

When an end user wants to authenticate using Oracle Mobile Authenticator, TOTP can be used as the second factor. After providing the username and password, the user is prompted to enter a TOTP value that would have been generated in the Oracle Mobile Authenticator app, as shown in Figure 3.

Figure 3: Oracle Identity Cloud Service TOTP authentication screen

Figure 4 and Figure 5 show the OTP generated in the grid and list views, respectively, of the Oracle Mobile Authenticator app. This same OTP value should be entered into Oracle Identity Cloud Service while accessing a secure application.




Figure 4: Grid view



Figure 5: List view
 

Push Notification Authentication with Oracle Mobile Authenticator

To access a protected resource in Oracle Identity Cloud Service or Oracle Access Manager, a user has to first enter login credentials. After the credentials are verified, a message prompts the user to accept the push notification sent to the registered device, as shown in Figure 6.

Figure 6: Oracle Identity Cloud Service push notification authentication screen

The push notification is sent to the registered device that has Oracle Mobile Authenticator installed and has the configured user account. When the notification appears on the device (Figure 7), the user can tap Allow or Deny to allow or block the login. Clicking Allow grants access to the secure application.

Figure 8 shows the screen that contains details about the login session: the resource being accessed, the time of login, the browser, and the IP address of access.




Figure 7: Push notification displayed on device



Figure 8: Details of login request
 

MFA in Oracle Identity Cloud Service

Oracle Identity Cloud Service is a next-generation, comprehensive security and identity platform that is cloud-native and designed to be an integral part of the enterprise security fabric, providing modern identity services for modern applications.

Oracle Identity Cloud Service provides identity management, single sign-on (SSO) capability, MFA, and identity governance for applications that are on premises or in the cloud and for mobile devices. Employees and business partners can access applications at any time, from anywhere, and on any device in a secure manner.

Figure 9: Capabilities of Oracle Identity Cloud Service

When MFA is enabled in Oracle Identity Cloud Service, users who sign in to an application are first prompted for their username and password, which is the first factor—something that they know. They are then required to use a second type of verification, for example, TOTPs, text messages (SMS), push notifications, bypass codes, or answers to security questions. The two factors work together to add an additional layer of security to verify users' identity and complete the login process.

The Oracle Mobile Authenticator app comes into play to provide support for push notifications and TOTPs in Oracle Identity Cloud Service.

To enable the use of Oracle Mobile Authenticator for MFA support in Oracle Identity Cloud Service, certain settings need to be configured in Oracle Identity Cloud Service, as described below. The screenshots shown below are from version 17.4.2 of Oracle Identity Cloud Service. Please note that the setting options will change slightly with version 17.4.6 of Oracle Identity Cloud Service.

Enabling MFA Factors Such As OTPs and Push Notifications

Use the following procedure and refer to Figure 10 to enable the use of Oracle Mobile Authenticator for MFA support in Oracle Identity Cloud Service:

  • 1. Log in to the Oracle Identity Cloud Service Admin Console and click the Security tab.
  • 2. For Select the users that you want to enable MFA for, choose either All Users or Administrators to enable MFA for a specific set of users.
  • 3. For MFA enrollment for the user is, choose either Required or Optional to make MFA mandatory or optional, respectively, for Oracle Identity Cloud Service users.
  • 4. For Select the factors that you want to enable, choose the type of factors you want to enable. 
     

    For example choose Mobile App OTP and Mobile App Notification to enable the use of OTPs and push notifications. Note that the end users need to install the Oracle Mobile Authenticator app on their mobile device, for these two factors to work.

  • 5. After selecting these two factors, click Configure (next to Mobile App OTP) to specify other Oracle Mobile Authenticator app settings such as OTP settings, the compliance policy, and Oracle Mobile Authenticator app protection. These are explained in detail in the next section, "Oracle Mobile Authenticator Settings in Oracle Identity Cloud Service."

    Figure 10: MFA settings screen in Oracle Identity Cloud Service

     

Oracle Mobile Authenticator Settings in Oracle Identity Cloud Service

The following sections describe the various types of settings that can be configured while using Oracle Mobile Authenticator in Oracle Identity Cloud Service.

One-Time Passcode Settings

As explained in earlier sections, the generation of TOTPs require a shared-secret that is shared by the server along with time sync information. The administrator can change a few other default factors such as OTP length, the hashing algorithm, and the validity interval of the generated OTP, as explained below and shown in Figure 11.

  • Passcode Length: This setting defines how many digits should be present in the passcode generated by the Oracle Mobile Authenticator app.
  • Hashing Algorithm: This setting specifies the algorithm used by Oracle Mobile Authenticator App to generate the passcode.
  • New OTP Generation: This setting specifies the number of seconds before a new OTP is generated by Oracle Mobile Authenticator app.
  • Secret Key Refreshed: This setting specifies the number of days after which the shared key is refreshed by the Oracle Mobile Authenticator app by contacting the Oracle Identity Cloud Service server.

Figure 11: TOTP settings screen in Oracle Identity Cloud Service

Oracle Mobile Authenticator App Protection Policy Settings

As shown in Figure 12, app protection and device-level policies can be set by the Oracle Identity Cloud Service admin based on the security requirements.

  • App Protection: This setting can be used to enforce a desired Oracle Mobile Authenticator app protection policy. The Oracle Mobile Authenticator app user can be asked to set up either an app PIN or a fingerprint biometric authentication to unlock the app. When the admin chooses either of these values, the Oracle Mobile Authenticator app user can be forced to authenticate with a PIN or a fingerprint

    - For every push notification request
    - For every Oracle Mobile Authenticator app startup
    - Every time Oracle Mobile Authenticator app comes to the foreground
  • Minimum PIN Length: This setting specifies the minimum number of characters for the PIN.
  • Maximum consecutive failed attempts before the app is locked: This setting specifies the maximum number of times a user can provide a wrong PIN or fingerprint, after which Oracle Mobile Authenticator gets locked.
  • Lockout duration: This setting specifies the duration in seconds for which the Oracle Mobile Authenticator app gets locked after invalid Oracle Mobile Authenticator login attempts.
  • Lockout escalation pattern: This setting defines the escalation pattern that the system follows while locking users out of the Oracle Mobile Authenticator app. ConstantLinear, and Exponential are the allowed values.

Figure 12: App Protection Policy screen in Oracle Identity Cloud Service

Oracle Mobile Authenticator Compliance Policy Settings

The compliance policy settings (see Figure 13) specify the operating systems and their specific versions on which the Oracle Mobile Authenticator app can be installed.

  • Require up-to-date patches from Oracle: This setting is used to ensure that Oracle Mobile Authenticator app users download and use the latest Oracle Mobile Authenticator app from the app store to ensure the utmost security.
  • Minimum OS version check: This setting is used to block users from using the Oracle Mobile Authenticator app on a device that has an outdated operating system.
  • Rooted devices check (iOS and Android only): This setting can be used to block users from using the Oracle Mobile Authenticator app on a device that has been jailbroken or if the rooted status is unknown.
  • Device screen lock check: This setting can be used to block users from using the Oracle Mobile Authenticator app on a device that does not have screen lock enabled, or if the screen lock status is unknown.

Figure 13: Compliance Policy settings screen in Oracle Identity Cloud Service

MFA in Oracle Access Management Access Manager

Oracle Access Management is an enterprise-level security application that is based on Java Platform, Enterprise Edition. It includes a full range of services that provide web-perimeter security functions and web-based single sign-on (SSO), identity context, authentication and authorization, policy administration, and more.

Oracle Access Management includes the Oracle Access Management Access Manager (Access Manager), which provides an SSO solution. SSO allows users and groups to access multiple applications after authentication, eliminating the need for multiple sign-on requests.

Similar to Oracle Identity Cloud Service, Access Manager provides MFA for sensitive applications that require additional security in addition to the standard username and password type of authentication. To provide MFA, it makes use of the Adaptive Authentication Service.

The Adaptive Authentication Service offers second-factor authentication. The second factor can be an OTP or an access request (or push) notification. The following MFA options are available in the Adaptive Authentication Service:

  • OTP from Oracle Mobile Authenticator
  • Access Request Notification from Oracle Mobile Authenticator
  • OTP through SMS
  • OTP through email

For the first two options, the Adaptive Authentication Service requires the use of the Oracle Mobile Authenticator app. Please refer to "Configuring the Oracle Mobile Authenticator" for details about the setup. The use of TOTP and push factors is similar to the Oracle Identity Cloud Service use cases, as described in the earlier sections on TOTP and push notification.

MFA in Third-Party Applications

Because Oracle Mobile Authenticator adheres to RFC 6238, any application protected by TOTP can be configured in Oracle Mobile Authenticator and be accessed by entering the passcode generated by Oracle Mobile Authenticator in the standalone mode. For example, if a user wants to set up MFA for Google, Facebook, or any other web account, Oracle Mobile Authenticator can be used to generate an OTP, as shown in Figure 14.

Figure 14: Adding third-party accounts in Oracle Mobile Authenticator

Configuring an Account in Oracle Mobile Authenticator

To configure an account in Oracle Mobile Authenticator, a few basic details about the account need to be provided.

  • Account Name: A uniquely identifiable account name
  • Company Name: The company to which this account belongs, for example, Oracle, Facebook, Dropbox, and so on
  • Shared Secret: A cryptographically strong random number that is shared between Oracle Mobile Authenticator and the server

The following sections describe the three mechanisms Oracle Mobile Authenticator supports for adding an account.

Manually Entering a Shared Secret

  • 1. Open the Oracle Mobile Authenticator app on your device and tap Add Account.
  • 2. Tap Enter key manually.
  • 3. Select the account type and enter your account name.
  • 4. Enter the key (shared secret) that the server application has provided and tap Save.
  • 5. (Optional) You can also the change the icon, if desired, as shown in Figure 15.

After the setup is complete, the passcode generator screen will display an OTP for the newly added account, as shown in Figure 16.




Figure 15: Configuring an account manually



Figure 16: OTP for the newly added account
 

Using a Configuration URL

Some server applications also provide the option of configuring an Oracle Mobile Authenticator account using a configuration URL. A configuration URL contains certain parameters—such as the host name, account, company name, and shared secret—and the URL is typically sent via email or displayed on the browser that is used to access the server application. Upon clicking the URL in a device on which Oracle Mobile Authenticator is installed, the device OS will ask for permission to open the link in the Oracle Mobile Authenticator app. Once permission is granted, the account configuration takes place. After the setup is complete, the passcode generator screen will display an OTP for the newly added account.

Scanning a QR Code

In most applications, using a QR code is the preferred method, because this is the easiest and quickest option for the end user.

  • 1. Open the Oracle Mobile Authenticator app on your device and tap Add Account.
  • 2. Using your device's camera, scan the QR code that the application displays, as shown in Figure 17.
  • 3. The QR code will have the necessary information to configure the account.

After the setup is complete, the passcode generator screen will display an OTP for the newly added account.

Figure 17: Scanning a QR code to add an account

Oracle Mobile Authenticator App Protection

Oracle Mobile Authenticator provides a facility to the end user to enable app protection for better security.

  • After launching the Oracle Mobile Authenticator app, click the menu icon in the upper left corner.
  • Tap App Protection and enable the toggle buttons for PIN or Touch ID, as shown in Figure 18. Note that users will be prompted to set up the PIN in case they want to enable the touch ID option.

The PIN is used to encrypt data before saving it in the device storage. This provides security, even in the event of a hacker getting access to device data. Once app protection is turned on, the user will be prompted to provide either the PIN or the touch ID while accessing Oracle Mobile Authenticator, as shown in Figure 19.




Figure 18: App Protection screen



Figure 19: Verify touch ID to open Oracle Mobile Authenticator
 

See Also

About the Authors

Samanvitha Kumar works as a principal member of technical staff in the Oracle Identity Cloud Service development team. She has over twelve years of product development experience in ecommerce, identity management, and middleware domains. She has a keen interest in technical writing and has published multiple articles in her areas of expertise in addition to presenting at various technical conferences.

Narayana Khadri holds master's degree from IIT, Delhi and is part of the Oracle Mobile Authenticator App development team. He has two years of experience in iOS app development and has a keen interest in emerging technologies such as machine learning, big data, and microservices.