Enable and Configure Multi-Factor Authentication (MFA)

1Select MFA Factors

In the Identity Cloud Service console, expand the Navigation Drawer , click Security, and then MFA.

Select the factors that you want to enable for your users: Security Questions, Mobile App Passcode, Mobile App Notification, Text Message (SMS), Email, Bypass Code, and Duo Security.

Click Save.

2Create a Sign-On Rule for MFA

In the Identity Cloud Service console, expand the Navigation Drawer , click Security, and then Sign-On Policies.

Oracle Identity Cloud Service provides a default sign-on policy, which allows you to define criteria that Oracle Identity Cloud Service uses to determine whether to allow a user to sign in or to prevent a user from accessing Oracle Identity Cloud Service.

Click the Default Sign-On Policy.

Click the Sign-On Rules tab, and then click Add.

In the Add Rule dialog box, name the rule, and then define conditions in the Conditions section.

In the Actions section, select Prompt for reauthentication to force the user to log in to Oracle Identity Cloud Service  again.

elect Prompt for an additional factor. Additional MFA settings appear for specifying whether the user is required to enroll in MFA and how often this additional factor is to be used to log in to Oracle Identity Cloud Service. Select Any Factor to prompt the user to enroll and verify any factor enabled in the MFA tenant level settings. Select Specific Factor to prompt the user to enroll and verify a subset of factors enabled in the MFA tenant level settings. After you select Specific Factor, you can select factors that must be enforced by this rule.

Note: You must have selected at least one factor for MFA on the Multi-Factor Authentication (MFA) Settings page in Oracle Identity Cloud Service for the additional MFA fields to appear in the Add Rule window.

Select Required to force the user to enroll in MFA. Select Optional to give a user the option of skipping MFA enrollment.

Define the frequency that you want a user to be prompted for an additional factor when logging in using a trusted device.

- Once per Session or Trusted Device (Default) requires a user to provide a second factor when they log in for each session that they open or when they log in from a trusted device.

- Every time requires a user to provide a second factor each time that they log in.

- Once every defines how often a user provides a second factor when they log in.

Click Save.

3Configure Other MFA Settings

In the Identity Cloud Service console, expand the Navigation Drawer , click Security, and then MFA.

Select Enable Trusted Device(s) when you want to provide users the option to mark their computer and other devices as trusted during login, and then update the trusted computer and device policy criteria according to your requirements.

Trusted devices don’t require the user to provide secondary authentication each time that they sign in (for a defined time period).

Enter the maximum number of factors (Max number of enrolled factors) that a user can enroll in.

Select the maximum number of times (Max unsuccessful MFA attempts) that a user can provide incorrect verification using their MFA factor before they are locked out of their account.

Click Save.

4Configure Mobile OTP and Notifications

In the Identity Cloud Service console, expand the Navigation Drawer , click Security, and then MFA.

Access the Mobile App Settings page by clicking Configure next to the Mobile App Passcode check box.

The default values for the Passcode Policy fields are the industry-recommended settings. Leave the defaults or update these fields according to your requirements.

In the Notification Policy section, select Enable pull notifications to allow the OMA App to pull pending notification requests from the server.

Select which app protection policy that you want to enforce on the Oracle Mobile Authenticator (OMA) app: App PIN or Fingerprint. Leave the default of None if you do not want to enforce a protection policy.

Define the app protection policy criteria according to your requirements.

Configure your compliance policy requirements such as which operating systems and which versions are allowed, detecting a rooted device, and whether a device must use screen lock.

Click Save.

5Configure Security Questions

In the Identity Cloud Service console, expand the Navigation Drawer, click Security, and then MFA.

Access the Security Questions Settings page by clicking Configure next to the Security Questions check box.

Enter the number of security questions (Number of security questions a user must set up) that you want to ask the user.

Enter the minimum number of characters (Minimum answer length) that a user must supply for an answer to a security question.

Enter the number of security questions a user is asked.

In the Manage Security Questions section, select the check boxes for the questions that you want to use.

Click Save.

To add custom questions, click Add Question, enter the security question, and then click Save.

6Configure Text Message (SMS)

In the Identity Cloud Service console, expand the Navigation Drawer, click Security, and then MFA.

Access the Text Message (SMS) Settings page by clicking Configure next to the Text Message (SMS) check box.

Enter the number of digits (Passcode Length) that the system should use when generating the passcode.

Enter the number of minutes (Passcode Validity Duration) that the passcode is valid.

Use the Message Templates section to create the notification that is sent in the SMS message to the user.

Oracle Identity Cloud Service provides a fixed list of message variables for your use. The variable values are replaced at runtime with values that you specify in the message template. Click Message Variables to view the available variables and variable definitions.

7Configure Email

In the Identity Cloud Service console, expand the Navigation Drawer, click Security, and then MFA.

Access the Email Settings page by clicking Configure next to the Email check box.

Enter the number of days for which the account activation email notification and the password reset email notification are valid.

(Optional) Click Allow the user to add an alternate email address for account recovery.

In the Passcode Length box, enter the number of digits that the system should use when generating the OTP that is sent in an email to the user.

In the Passcode Validity Duration box, enter the number of minutes that the OTP is valid.

8Configure Duo Security

Access the Duo Settings page by clicking Configure next to the Duo Security check box.

In the Oracle Identity Cloud Service console, expand the Navigation Drawer, click Security, Factors, and then select the Duo Security tab.

Enter the configuration information that was generated from your Duo Administrative account.

Click Save.