Managing Multi-Factor Authentication

This topic describes how users can manage multi-factor authentication (MFA) in Oracle Cloud Infrastructure.

Required IAM Policy

Only the user can enable multi-factor authentication (MFA) for their own account. Users can also disable MFA for their own accounts. Members of the Administrators group can disable MFA for other users, but they cannot enable MFA for another user.

About Multi-Factor Authentication

Multi-factor authentication is a method of authentication that requires the use of more than one factor to verify a user’s identity.

With MFA enabled in the IAM service, when a user signs in to Oracle Cloud Infrastructure, they are prompted for their user name and password, which is the first factor (something that they know). The user is then prompted to provide a second verification code from a registered MFA device, which is the second factor (something that they have). The two factors work together, requiring an extra layer of security to verify the user’s identity and complete the sign-in process.

In general, MFA may include any two of the following:

  • Something that you know, like a password.

  • Something that you have, like a device.

  • Something that you are, like your fingerprint.

The IAM service supports two-factor authentication using a password (first factor) and a device that can generate a time-based one-time password (TOTP) (second factor).

General Concepts

Here's a list of the basic concepts you need to be familiar with.

Multi-Factor Authentication (MFA)
Multi-factor authentication (MFA) is a method of authentication that requires the use of more than one factor to verify a user’s identity. Examples of authentication factors are a password (something you know) and a device (something you have).
Authenticator App
An app you install on your mobile device that can provide software-based secure tokens for identity verification. Examples of authenticator apps are Oracle Mobile Authenticator and Google Authenticator. To enable MFA for the IAM service, you'll need a device with an authenticator app installed. You'll use the app to register your device and then you'll use the same app (on the same device) to generate a time-based one-time passcode every time you sign in.
Registered mobile Device
Multi-factor authentication is enabled for a specific user and for a specific device. The procedure to enable MFA for a user includes the registration of the mobile device. This same device must be used to generate the time-based one-time passcode every time the user signs in. If the registered mobile device becomes unavailable, an administrator must disable MFA for the user so that MFA can be re-enabled with a new device.
Time-Based One-Time Password (TOTP)
A TOTP is a password (or passcode) that is generated by an algorithm that computes a one-time password from a shared secret key and the current time, as defined in RFC 6238. The authenticator app on your registered mobile device generates the TOTP that you need to enter every time you sign in to Oracle Cloud Infrastructure.

Supported Authenticator Apps

The following authenticator apps have been tested with the Oracle Cloud Infrastructure IAM service:

  • Oracle Mobile Authenticator
  • Google Authenticator

You can find these apps in your mobile device's app store. You must install one of these apps on your mobile device before you can enable MFA.

Working with MFA

Keep the following in mind when you enable MFA:

  • You must install a supported authenticator app on the mobile device you intend to register for MFA.
  • Each user must enable MFA for themselves using a device they will have access to every time they sign in. An administrator cannot enable MFA for another user.
  • To enable MFA, you use your mobile device's authenticator app to scan a QR code that is generated by the IAM service and displayed in the Console. The QR code shares a secret key with the app to enable the app to generate TOTPs that can be verified by the IAM service.
  • A user can register only one device to use for MFA.
  • After you add your Oracle Cloud Infrastructure account to your authenticator app, the account name displays in the authenticator app as Oracle <tenancy_name> - <username>.

Restricting Access to Only MFA-Verified Users

You can restrict access to resources to only users that have been authenticated through the IAM service's time-based one-time password authentication. You set up this restriction in the policy that allows access to the resource.

To restrict the access granted through a policy to only MFA-verified users, add the following where clause to the policy:

where request.user.mfaTotpVerified='true'

For example, assume your company has this policy in place to allow GroupA to manage instances:

allow group GroupA to manage instance-family in tenancy

To enhance security, you want to ensure that only users who have been verified through MFA can manage instances. To restrict access to only these users, revise the policy statement as follows:

allow group GroupA to manage instance-family in tenancy where request.user.mfaTotpVerified='true'

With this policy in place, only the members of GroupA who have successfully signed in by entering both their password and the time-based one-time passcode generated by their registered mobile device, are allowed to access and manage instances. Users who have not enabled MFA and sign in using only their password, will not be allowed access to manage instances.

For information on writing policies, see Policy Syntax.

Sign in Process After Enabling MFA

After you have enabled MFA, use one of the following procedures to sign in to Oracle Cloud Infrastructure:

To sign in using the Console
To sign in using the command line interface (CLI)

What To Do If You Lose Your Registered Mobile Device

If you lose your registered mobile device, you will not be able to authenticate to Oracle Cloud Infrastructure through the Console. Contact your administrator to disable multi-factor authentication for your account. You can then repeat the process to enable multi-factor authentication with a new mobile device.

Unblocking a User After Unsuccessful Sign-in Attempts

If a user tries 10 times in a row to sign in to the Console unsuccessfully, they will be automatically blocked from further sign-in attempts. An administrator can unblock the user in the Console (see To unblock a user) or with the UpdateUserState API operation.

Disabling MFA

Each user can disable MFA for themselves. An administrator can also disable MFA for another user.


Do not disable MFA unless you are instructed to by your administrator.

Using the Console

Use the following procedures to manage MFA in the Console.

To enable MFA for your user account
To disable MFA for your user account
To disable MFA for another user

Using the API

For information about using the API and signing requests, see REST APIs and Security Credentials. For information about SDKs, see Software Development Kits and Command Line Interface.


Updates Are Not Immediate Across All Regions

Your IAM resources reside in your home region. To enforce policy across all regions, the IAM service replicates your resources in each region. Whenever you create or change a policy, user, or group, the changes take effect first in the home region, and then are propagated out to your other regions. It can take several minutes for changes to take effect in all regions.

Use these API operations to manage multi-factor authentication devices: