by Samanvitha Kumar and Narayana Khadri
This article explores the features of Oracle Mobile Authenticator and how it is harnessed to provide Multi-Factor Authentication (MFA) capability in identity and access management products.
Published November 2017
Oracle Mobile Authenticator is an application from Oracle that was first released in 2014 as part of Oracle Access Management Suite. Given that digital security is an area that organizations cannot ignore, authenticating users using two-factor authentication before granting access to sensitive data is extremely important.
Oracle Mobile Authenticator enables you to securely verify identity using a mobile phone or tablet as an authentication factor. Oracle Mobile Authenticator generates a one-time passcode (OTP) for login and can receive push notifications for login, which can be approved with a simple tap. When this authentication is used in addition to a username and password, it adds an additional layer of security that is essential for today's online applications.
Oracle Mobile Authenticator works on all three mobile platforms and supports iOS 7.1+, Android 4.1+, and Windows 8.1+ operating system versions.
Figure 1 shows the Oracle Mobile Authenticator launch screen.
Figure 1: Oracle Mobile Authenticator launch screen
Wikipedia explains Multi-Factor Authentication (MFA) as "a method of computer access control in which a user is granted access only after successfully presenting several separate pieces of evidence to an authentication mechanism—typically at least two of the following categories: knowledge (something they know [for example, a password]), possession (something they have [for example, phone or a trusted device]), and inherence (something they are [for example, biometric information])."
The use of a debit card (something a user has) and a PIN (something a user knows) to withdraw money from an ATM is one of the most common applications of MFA.
Figure 2: MFA at a glance
Whenever MFA is enabled, the traditional username and password are usually the first factor. Additional security is enforced using one or more of the following methods:
Oracle Mobile Authenticator can be integrated with Oracle Identity Cloud Service and Oracle Access Manager to secure their applications using MFA. It can also work in the standalone mode to generate time-based one-time passwords (TOTPs) to authenticate for applications that adhere to RFC 6238 to control access. The following sections will throw light on how Oracle Mobile Authenticator can be leveraged in the Oracle Identity Cloud Service and Oracle Access Manager landscapes to securely access critical applications.
A TOTP algorithm is an algorithm that computes a one-time password from a shared secret key and the current time. As defined in RFC 6238, TOTP is an extension of the OTP algorithm, namely the Hashed Message Authentication Code (HMAC)–based one-time password (HOTP) algorithm, to support a time-based moving factor.
As defined in RFC 4226, the HOTP algorithm is based on the HMAC-SHA-1 algorithm and applied to an increasing counter value representing the message in the HMAC computation.
Basically, the output of the HMAC-SHA-1 calculation is truncated to obtain user-friendly values:
HOTP(K,C) = Truncate(HMAC-SHA-1(K,C))
where Truncate represents the function that can convert an HMAC-SHA-1 value into an HOTP value. K and C represent the shared secret and counter value, respectively.
TOTP is the time-based variant of this algorithm, where a value T, derived from a time reference and a time step, replaces the counter value C in the HOTP computation.
Per RFC 6238, the default cryptographic hash method used is SHA-1 and the default password length is six. Also, any generated TOTP is valid for 30 seconds by default. In general, TOTP generators adhere to these defaults and accept the shared secret to generate a TOTP for a given account. However, in the case of Oracle Identity Cloud Service, which works in tandem with Oracle Mobile Authenticator, the administrator has the provision to tweak the parameters such as the OTP length, the hash algorithm, and the validity duration for better security.
Please refer to the section "One-Time Passcode Settings" to see how these parameters can be configured in Oracle Identity Cloud Service.
When an end user wants to authenticate using Oracle Mobile Authenticator, TOTP can be used as the second factor. After providing the username and password, the user is prompted to enter a TOTP value that would have been generated in the Oracle Mobile Authenticator app, as shown in Figure 3.
Figure 3: Oracle Identity Cloud Service TOTP authentication screen
Figure 4 and Figure 5 show the OTP generated in the grid and list views, respectively, of the Oracle Mobile Authenticator app. This same OTP value should be entered into Oracle Identity Cloud Service while accessing a secure application.
Figure 4: Grid view
Figure 5: List view
To access a protected resource in Oracle Identity Cloud Service or Oracle Access Manager, a user has to first enter login credentials. After the credentials are verified, a message prompts the user to accept the push notification sent to the registered device, as shown in Figure 6.
Figure 6: Oracle Identity Cloud Service push notification authentication screen
The push notification is sent to the registered device that has Oracle Mobile Authenticator installed and has the configured user account. When the notification appears on the device (Figure 7), the user can tap Allow or Deny to allow or block the login. Clicking Allow grants access to the secure application.
Figure 8 shows the screen that contains details about the login session: the resource being accessed, the time of login, the browser, and the IP address of access.
Figure 7: Push notification displayed on device
Figure 8: Details of login request
Oracle Identity Cloud Service is a next-generation, comprehensive security and identity platform that is cloud-native and designed to be an integral part of the enterprise security fabric, providing modern identity services for modern applications.
Oracle Identity Cloud Service provides identity management, single sign-on (SSO) capability, MFA, and identity governance for applications that are on premises or in the cloud and for mobile devices. Employees and business partners can access applications at any time, from anywhere, and on any device in a secure manner.
Figure 9: Capabilities of Oracle Identity Cloud Service
When MFA is enabled in Oracle Identity Cloud Service, users who sign in to an application are first prompted for their username and password, which is the first factor—something that they know. They are then required to use a second type of verification, for example, TOTPs, text messages (SMS), push notifications, bypass codes, or answers to security questions. The two factors work together to add an additional layer of security to verify users' identity and complete the login process.
The Oracle Mobile Authenticator app comes into play to provide support for push notifications and TOTPs in Oracle Identity Cloud Service.
To enable the use of Oracle Mobile Authenticator for MFA support in Oracle Identity Cloud Service, certain settings need to be configured in Oracle Identity Cloud Service, as described below. The screenshots shown below are from version 17.4.2 of Oracle Identity Cloud Service. Please note that the setting options will change slightly with version 17.4.6 of Oracle Identity Cloud Service.
Use the following procedure and refer to Figure 10 to enable the use of Oracle Mobile Authenticator for MFA support in Oracle Identity Cloud Service:
For example choose Mobile App OTP and Mobile App Notification to enable the use of OTPs and push notifications. Note that the end users need to install the Oracle Mobile Authenticator app on their mobile device, for these two factors to work.
Figure 10: MFA settings screen in Oracle Identity Cloud Service
The following sections describe the various types of settings that can be configured while using Oracle Mobile Authenticator in Oracle Identity Cloud Service.
As explained in earlier sections, the generation of TOTPs require a shared-secret that is shared by the server along with time sync information. The administrator can change a few other default factors such as OTP length, the hashing algorithm, and the validity interval of the generated OTP, as explained below and shown in Figure 11.
Figure 11: TOTP settings screen in Oracle Identity Cloud Service
As shown in Figure 12, app protection and device-level policies can be set by the Oracle Identity Cloud Service admin based on the security requirements.
Figure 12: App Protection Policy screen in Oracle Identity Cloud Service
The compliance policy settings (see Figure 13) specify the operating systems and their specific versions on which the Oracle Mobile Authenticator app can be installed.
Figure 13: Compliance Policy settings screen in Oracle Identity Cloud Service
Oracle Access Management is an enterprise-level security application that is based on Java Platform, Enterprise Edition. It includes a full range of services that provide web-perimeter security functions and web-based single sign-on (SSO), identity context, authentication and authorization, policy administration, and more.
Oracle Access Management includes the Oracle Access Management Access Manager (Access Manager), which provides an SSO solution. SSO allows users and groups to access multiple applications after authentication, eliminating the need for multiple sign-on requests.
Similar to Oracle Identity Cloud Service, Access Manager provides MFA for sensitive applications that require additional security in addition to the standard username and password type of authentication. To provide MFA, it makes use of the Adaptive Authentication Service.
The Adaptive Authentication Service offers second-factor authentication. The second factor can be an OTP or an access request (or push) notification. The following MFA options are available in the Adaptive Authentication Service:
For the first two options, the Adaptive Authentication Service requires the use of the Oracle Mobile Authenticator app. Please refer to "Configuring the Oracle Mobile Authenticator" for details about the setup. The use of TOTP and push factors is similar to the Oracle Identity Cloud Service use cases, as described in the earlier sections on TOTP and push notification.
Because Oracle Mobile Authenticator adheres to RFC 6238, any application protected by TOTP can be configured in Oracle Mobile Authenticator and be accessed by entering the passcode generated by Oracle Mobile Authenticator in the standalone mode. For example, if a user wants to set up MFA for Google, Facebook, or any other web account, Oracle Mobile Authenticator can be used to generate an OTP, as shown in Figure 14.
Figure 14: Adding third-party accounts in Oracle Mobile Authenticator
To configure an account in Oracle Mobile Authenticator, a few basic details about the account need to be provided.
The following sections describe the three mechanisms Oracle Mobile Authenticator supports for adding an account.
After the setup is complete, the passcode generator screen will display an OTP for the newly added account, as shown in Figure 16.
Figure 15: Configuring an account manually
Figure 16: OTP for the newly added account
Some server applications also provide the option of configuring an Oracle Mobile Authenticator account using a configuration URL. A configuration URL contains certain parameters—such as the host name, account, company name, and shared secret—and the URL is typically sent via email or displayed on the browser that is used to access the server application. Upon clicking the URL in a device on which Oracle Mobile Authenticator is installed, the device OS will ask for permission to open the link in the Oracle Mobile Authenticator app. Once permission is granted, the account configuration takes place. After the setup is complete, the passcode generator screen will display an OTP for the newly added account.
In most applications, using a QR code is the preferred method, because this is the easiest and quickest option for the end user.
After the setup is complete, the passcode generator screen will display an OTP for the newly added account.
Figure 17: Scanning a QR code to add an account
Oracle Mobile Authenticator provides a facility to the end user to enable app protection for better security.
The PIN is used to encrypt data before saving it in the device storage. This provides security, even in the event of a hacker getting access to device data. Once app protection is turned on, the user will be prompted to provide either the PIN or the touch ID while accessing Oracle Mobile Authenticator, as shown in Figure 19.
Figure 18: App Protection screen
Figure 19: Verify touch ID to open Oracle Mobile Authenticator
Samanvitha Kumar works as a principal member of technical staff in the Oracle Identity Cloud Service development team. She has over twelve years of product development experience in ecommerce, identity management, and middleware domains. She has a keen interest in technical writing and has published multiple articles in her areas of expertise in addition to presenting at various technical conferences.
Narayana Khadri holds master's degree from IIT, Delhi and is part of the Oracle Mobile Authenticator App development team. He has two years of experience in iOS app development and has a keen interest in emerging technologies such as machine learning, big data, and microservices.