Oracle Cloud Infrastructure Documentation

Configuring FIDO Authenticator

Configure Fast ID Online (FIDO) authentication in an identity domain in IAM so that users can authenticate with an external authentication device such as a YubiKey, or an internal device such as Windows Hello or Mac Touch ID.

  1. Open the navigation menu and click Identity & Security. Under Identity, click Domains.
  2. Click the name of the identity domain that you want to work in. You might need to change the compartment to find the domain that you want.
  3. On the domain details page, click Security.
  4. On the Security page, click Two-factor authentication.
  5. Click the FIDO authenticator tab.
  6. Configure the FIDO authenticator settings:
    • Time-out (milliseconds): The length of time in which the user must act. If the user doesn't act within this period, authentication fails. The default is 60,000 milliseconds (6 seconds).
    • Attestation: This is a key pair that belongs to the device and is assigned during manufacture. It is specific to the device model, and it is used when the device is registered to prove the specific model.
      • None indicates that the Relying Party is not interested in authenticator attestation.
      • Indirect indicates that the Relying Party allows for anonymized attestation data.
      • Direct indicates that the Relying Party wants to receive the attestation data from the authenticator.
    • Authenticator selection attachment: Controls the authenticator type a user register with.
      • Platform: Choose to use Windows Hello and Mac Touch ID.
      • Cross-Platform: Choose to use a cross-platform authenticator such as YubiKey.
      • Both: This value is the default.
    • Authenticator selection resident key: Whether support for the resident key should be enabled.

      None (the default) incidates that the private key is encrypted and stored on the server.

    • Authenticator selection user verification: The relying party's requirements regarding user verification during Registration. Preferred is the default.
    • Public key types: The cryptographic algorithm used to generate a public key pair during Registration. IAM only certifies ES256 (the default), RS1, and RS256.
    • Exclude credentials: Used by relying parties to limit the creation of multiple credentials for the same account on a single authenticator. The default unselected.
  7. Click Save changes.
  8. Confirm the changes when prompted.
FIDO authentication is now an additional sign-in factor