Managing Multifactor Authentication

This topic describes how users can manage multifactor authentication (MFA) in Oracle Cloud Infrastructure.

Required IAM Policy

Only the user can enable multifactor authentication (MFA) for their own account. Users can also disable MFA for their own accounts. Members of the Administrators group can disable MFA for other users, but they cannot enable MFA for another user.

About Multifactor Authentication

Multifactor authentication is a method of authentication that requires the use of more than one factor to verify a user's identity.

With MFA enabled in the IAM service, when a user signs in to Oracle Cloud Infrastructure, they are prompted for their user name and password, which is the first factor (something that they know). The user is then prompted to provide a second verification code from a registered MFA device, which is the second factor (something that they have). The two factors work together, requiring an extra layer of security to verify the user's identity and complete the sign-in process.

In general, MFA may include any two of the following:

  • Something that you know, like a password.

  • Something that you have, like a device.

  • Something that you are, like your fingerprint.

The IAM service supports two-factor authentication using a password (first factor) and a device that can generate a time-based one-time password (TOTP) (second factor).

General Concepts

Here's a list of the basic concepts you need to be familiar with.

MULTIFACTOR AUTHENTICATION (MFA)
Multifactor authentication (MFA) is a method of authentication that requires the use of more than one factor to verify a user's identity. Examples of authentication factors are a password (something you know) and a device (something you have).
AUTHENTICATOR APP
An app you install on your mobile device that can provide software-based secure tokens for identity verification. Examples of authenticator apps are Oracle Mobile Authenticator and Google Authenticator. To enable MFA for the IAM service, you'll need a device with an authenticator app installed. You'll use the app to register your device and then you'll use the same app (on the same device) to generate a time-based one-time passcode every time you sign in.
REGISTERED MOBILE DEVICE
Multifactor authentication is enabled for a specific user and for a specific device. The procedure to enable MFA for a user includes the registration of the mobile device. This same device must be used to generate the time-based one-time passcode every time the user signs in. If the registered mobile device becomes unavailable, an administrator must disable MFA for the user so that MFA can be re-enabled with a new device.
TIME-BASED ONE-TIME PASSWORD (TOTP)
A TOTP is a password (or passcode) that is generated by an algorithm that computes a one-time password from a shared secret key and the current time, as defined in RFC 6238. The authenticator app on your registered mobile device generates the TOTP that you need to enter every time you sign in to Oracle Cloud Infrastructure.

Supported Authenticator Apps

The following authenticator apps have been tested with the Oracle Cloud Infrastructure IAM service:

  • Oracle Mobile Authenticator
  • Google Authenticator

You can find these apps in your mobile device's app store. You must install one of these apps on your mobile device before you can enable MFA.

Working with MFA

Keep the following in mind when you enable MFA:

  • You must install a supported authenticator app on the mobile device you intend to register for MFA.
  • Each user must enable MFA for themselves using a device they will have access to every time they sign in. An administrator cannot enable MFA for another user.
  • To enable MFA, you use your mobile device's authenticator app to scan a QR code that is generated by the IAM service and displayed in the Console. The QR code shares a secret key with the app to enable the app to generate TOTPs that can be verified by the IAM service.
  • A user can register only one device to use for MFA.
  • After you add your Oracle Cloud Infrastructure account to your authenticator app, the account name displays in the authenticator app as Oracle <tenancy_name> - <username>.

Restricting Access to Only MFA-Verified Users

You can restrict access to resources to only users that have been authenticated through the IAM service's time-based one-time password authentication. You set up this restriction in the policy that allows access to the resource.

To restrict the access granted through a policy to only MFA-verified users, add the following where clause to the policy:

where request.user.mfaTotpVerified='true'

For example, assume your company has this policy in place to allow GroupA to manage instances:

allow group GroupA to manage instance-family in tenancy

To enhance security, you want to ensure that only users who have been verified through MFA can manage instances. To restrict access to only these users, revise the policy statement as follows:

allow group GroupA to manage instance-family in tenancy where request.user.mfaTotpVerified='true'

With this policy in place, only the members of GroupA who have successfully signed in by entering both their password and the time-based one-time passcode generated by their registered mobile device, are allowed to access and manage instances. Users who have not enabled MFA and sign in using only their password, will not be allowed access to manage instances.

For information on writing policies, see Policy Syntax.

Sign in Process After Enabling MFA

After you have enabled MFA, use one of the following procedures to sign in to Oracle Cloud Infrastructure:

To sign in using the Console
  1. Navigate to the Console sign-in page.
  2. Enter your Oracle Cloud Infrastructure User Name and Password and then click Sign In.

    After your user name and password are authenticated, you have successfully supplied the first factor for authentication. The secondary authentication page displays and prompts you to enter a one-time passcode, as shown in the following screenshot.

    Screenshot of the secondary authentication sign in page
  3. Open the authenticator app on your registered mobile device and then open the account for your Oracle Cloud Infrastructure tenancy. The following screenshot shows an example from Oracle Mobile Authenticator.

    Screenshot of the Oracle Mobile Authenticator app showing a TOTP

  4. Enter the passcode displayed by your authenticator app (for example, 219604) and then click Sign In.

    Important: The authenticator app generates a new time-based one-time passcode every 30 seconds. You must enter a code while the code is still valid. If you miss the time window for one passcode, you can enter the next one that is generated. Just ensure that you enter the code that is currently displayed by your app.

To sign in using the command line interface (CLI)
  1. To sign in with the CLI, run the following command:

    oci session authenticate --region US East (Ashburn)

    A browser window opens, and a prompt instructs you to use the browser to sign in.

    Please switch to newly opened browser window to log in!
  2. In the browser window, enter your Oracle Cloud Infrastructure User Name and Password and then click Sign In.

    After your user name and password are authenticated, you have successfully supplied the first factor for authentication. The secondary authentication page displays and prompts you to enter a one-time passcode, as shown in the following screenshot.

    Screenshot of the secondary authentication sign in page
  3. Open the authenticator app on your registered mobile device and then open the account for your Oracle Cloud Infrastructure tenancy. The following screenshot shows an example from Oracle Mobile Authenticator.

    Screenshot of the Oracle Mobile Authenticator app showing a TOTP

  4. Enter the passcode displayed by your authenticator app (for example, 219604) and then click Sign In.

    Important: The authenticator app generates a new time-based one-time passcode every 30 seconds. You must enter a code while the code is still valid. If you miss the time window for one passcode, you can enter the next one that is generated. Just ensure that you enter the code that is currently displayed by your app.

    After you authenticate, prompts instruct you to return to the CLI and enter the name of a profile.

  5. In the CLI, type a name for the profile.

    Tip

    For more information about working with the CLI, see Quickstart and Get Started with the Command Line Interface.

What To Do If You Lose Your Registered Mobile Device

If you lose your registered mobile device, you will not be able to authenticate to Oracle Cloud Infrastructure through the Console. Contact your administrator to disable multifactor authentication for your account. You can then repeat the process to enable multifactor authentication with a new mobile device.

Unblocking a User After Unsuccessful Sign-in Attempts

If a user tries 10 times in a row to sign in to the Console unsuccessfully, they will be automatically blocked from further sign-in attempts. An administrator can unblock the user in the Console (see To unblock a user) or with the UpdateUserState API operation.

Disabling MFA

Each user can disable MFA for themselves. An administrator can also disable MFA for another user.

Caution

Do not disable MFA unless you are instructed to by your administrator.

Deleting Inactive MFA TOTP Devices

You cannot find and delete inactive MFA TOTP devices from the console, but you can use OCI CLI commands with Cloud Shell to find them and delete them.

An inactive MFA TOTP device can happen when MFA is enabled for a user, and the user has clicked Enable Multifactor Authentication, but then has failed to authenticate the device.

Use the OCI CLI mfa-totp-device list and delete commands to identify the MFA TOTP devices for a user and then delete the inactive device.

If more than one user has inactive MFA TOTP devices, perform this task for each user.

  1. First, get the OCID of the user:
    1. Open the navigation menu and click Identity & Security. Under Identity, click Users.
    2. Click the user account, and on the User information tab click Copy next to OCID. This copies the user's OCID to the clipboard.
  2. Start Cloud Shell from the Console. See Using Cloud Shell.
  3. Use the mfa-totp-device list command and enter the OCID of the user as the --user-id parameter. For example:
    oci iam mfa-totp-device list 
    --user-id ocid1.user.oc1..aaaaaaaaltrya5y7o6wo3takzongrlii6voxqghfso73pamsgksao6jboaya
    Any MFA TOTP devices associated with the user are listed. If the user has no MFA TOTP devices nothing is returned.

    A device which has not been activated shows "is-activated": false.

    Make a note of the OCID of the device and the OCID of the user to use as parameters in the next step.

    • The OCID of the inactive device is the id value.
    • The OCID of the user is the user-id value.
  4. Use the mfa-totp-device delete command and enter the OCID of the inactive device as the --mfa-totp-device-id parameter, and the OCID of the user as the --user-id parameter. For example:
    oci iam mfa-totp-device delete 
    --mfa-totp-device-id ocid1.credential.oc1..aaaaaaaaqv36sq6usjin5wefohpthsf4shnzh3snvioe3ezr57ce5ctoahcq
    --user-id ocid1.user.oc1..aaaaaaaaltrya5y7o6wo3takzongrlii6voxqghfso73pamsgksao6jboaya
    Confirm that you want to delete the resource.

Using the Console

Use the following procedures to manage MFA in the Console.

To enable MFA for your user account

Prerequisite: You must install a supported authenticator app on the mobile device you intend to register for MFA.

  1. In the upper-right corner of the Console, open the Profile menu and then select User Settings. Your user details are displayed.
  2. Click Enable Multi-Factor Authentication.
  3. Scan the QR code displayed in the dialog with your mobile device's authenticator app.

    Note: If you close the browser, or if the browser crashes before you can enter the verification code, you must generate a new QR code and scan it again with your app. To generate a new QR code, click the Enable Multi-Factor Authentication button again.

  4. In the Verification Code field, enter the code displayed on your authenticator app.
  5. Click Enable.

Your mobile device is now registered with the IAM service and your account is enabled for MFA. Every time you sign in, you are prompted for your username and password first. After you provide the correct credentials, you will be prompted for a TOTP code generated by the authenticator app on your registered mobile device. You must have your registered mobile device available every time you sign in to Oracle Cloud Infrastructure.

To disable MFA for your user account
  1. In the upper-right corner of the Console, open the Profile menu and then select User Settings. Your user details are displayed.

  2. Click Disable Multi-Factor Authentication.
  3. Confirm when prompted.
To disable MFA for another user
  1. Open the navigation menu and click Identity & Security. Under Identity, click Users. A list of the users in your tenancy is displayed.
  2. Click the user you want to update. The user's details are displayed.
  3. Click Disable Multi-Factor Authentication.
  4. Confirm when prompted.

Using the API

For information about using the API and signing requests, see REST API documentation and Security Credentials. For information about SDKs, see SDKs and the CLI.

Note

Updates Are Not Immediate Across All Regions

Your IAM resources reside in your home region. To enforce policy across all regions, the IAM service replicates your resources in each region. Whenever you create or change a policy, user, or group, the changes take effect first in the home region, and then are propagated out to your other regions. It can take several minutes for changes to take effect in all regions.

Use these API operations to manage multifactor authentication devices: