Configuring Multifactor Authentication Settings

Configure multifactor authentication (MFA) settings and compliance policies that define which MFA factors are required to access an identity domain in IAM, and then configure the MFA factors.

Note

The tasks in this section are for an administrator that needs to set up MFA for an identity domain in IAM. If you're a user that needs to set up 2-step verification for yourself, see Setting Up Account Recovery and 2-Step Verification.
Before you begin:
  • Create a test user in a test identity domain. Use that identity domain to set up MFA for the first time. See Creating an Identity Domain and Creating a User.
  • Set up a client application to enable access to an identity domain using the REST API in case your Sign-On Policy configuration locks you out. If you don't set up this client application and a sign-on policy configuration restricts access to everyone, then all users are locked out of the identity domain until you contact Oracle Support. For information about setting up the client application, see Registering a Client Application.

To define MFA settings, you must be assigned to either the identity domain administrator role or the security administrator role.

  1. Open the navigation menu and click Identity & Security. Under Identity, click Domains.
  2. Click the name of the identity domain that you want to work in. You might need to change the compartment to find the domain that you want.
  3. On the domain details page, click Security.
  4. On the Security page, click MFA.
  5. Under Factors, select each of the factors that you want to be required to access an identity domain.
    For an explanation of each factor, see Configuring Authentication Factors.
  6. (Optional) Click Configure for the MFA factors that you have selected to configure them individually.
    For instructions for each factor, see Configuring Authentication Factors.
  7. (Optional) Set the Maximum number of enrolled factors that users can configure.
  8. (Optional) Use the Trusted devices section to configure trusted device settings.
    Similar to "remember my computer," trusted devices don't require the user to provide secondary authentication each time that they sign in.
  9. (Optional) Under Sign-in rules, set the maximum number of unsuccessful MFA attempts that you want to allow a user to incorrectly provide MFA verification before being locked out.
  10. Click Save changes, and then confirm the change.
  11. Ensure that any sign-on policies that are active allow two-step authentication:
    1. On the Security page for the domain, click Sign-on policies.
    2. On the Sign-on policies page, click Default Sign-On Policy.
    3. On the Default Sign-On Policy page, under Resources, click Sign-on rules.
    4. In the Default Sign-On Rule row, click the Actions menu (Actions Menu) and select Edit sign-on rule.
    5. In the Edit sign-on rule dialog box, under Exclude users, exclude yourself or another identity domain administrator from this rule until testing is complete. This ensures that at least one administrator always has access to the identity domain should issues arise.
    6. Under Actions, select Allow access and select Prompt for an additional factor.
    7. Click Save changes.
    8. If other sign-on policies have been added, follow the preceding steps for each of those policies to ensure that MFA is enabled under all conditions where you want it to be enabled.
      Note

      The settings for the default sign-on rule enable MFA globally. Settings for other sign-on rules might override the default sign-on rule for users and groups specified by conditions for those rules. See Managing Password Policies.

      Important

      Ensure you exclude one Identity Domain Administrator from each policy. This ensures that at least one administrator always has access to the identity domain should issues arise.

      Set Enrollment as Optional until you're finished testing the sign-on policy.

  12. To test the configuration, sign out of the Console and then sign in as the test user.
    You should be prompted for a second factor.