Multifactor Authentication

UAA Multifactor Authentication

UAA multifactor authentication (MFA) is a mechanism to add an additional factor to user authentication and verification process. The MFA works in conjuction with the primary method for user authentication i.e., using the password. When MFA is implemented, users attempt to login with their password and are redirected to MFA registration or code verification page. Users are signed in only after the second authentication factor is satisfied.

UAA supports Time-based One-Time Password (TOTP) protocol based secondary authenticators like the Google Authenticator.
Note: Currently, Google Authenticator is the only type of authenticator that UAA recognizes. Ability to onboard other secondary authenticators such as, YubiKey, RSA SecureID, Duo Security etc., will be added in future releases.

Creating an MFA Provider

About This Task

Multifactor authentication (MFA) providers are scoped to an IdentityZone in UAA. As an Admin, you can create an MFA provider on a per zone basis. Once you set up MFA for a UAA zone, you can enable or disable the MFA provider for users in that zone.

Procedure

Create a Google Authenticator type of authenticator for your zone using the create an MFA provider API. This is a one time operation.
Note: You cannot update same providers or add different types of authenticators on a per zone basis. UAA will add this capability in future releases.

What To Do Next

After you create an MFA provider for a UAA zone, you must enable MFA for users in that zone, see uaas-multifactor-auth.html#task_uty_j4b_xdb for more information.

Enabling an MFA Provider for a UAA Zone

About This Task

Once you create an MFA provider for a UAA zone, you can enable MFA for users in that zone.

When MFA provider is enabled, all users in a given zone are required need to enter their password and go through the Google Authenticator code verification process to successfully authenticate with UAA.

Procedure

  1. Set the mfaConfig property in the IndentityZone configuration to enable MFA for that zone.
  2. Update the IndentityZone configuration using the update the IdentityZone API. The providerName is the unique name of the provider used at the time of creation.

Disabling an MFA Provider for a UAA Zone

About This Task

You can disable an MFA provider for a UAA zone. When you disable the MFA configuration for a user in a specific zone, you do not need to modify or delete the MFA provider created earlier for this zone.

Procedure

Set mfaConfig property to false to disable the MFA for a given zone.

Understanding MFA User Flow

If you are a first time application user, you must register your phone application with your UAA account before you start using the Google Authenticator.

Registering First Time Application Users

About This Task

You must enter your username and password to login to UAA. After logging in, UAA detects if MFA is enabled for your zone and redirects you to complete the first time registration process.

You can start using the Gooogle Authenticator after you register your phone application with your UAA account.

Procedure

Scan the QR code appearing on your screen to follow the registration process.
Note: This is a required step for all first time users. If you have already completed this step once, you can skip this step and proceed to enter your 6-digit verification code.
The following screenshot shows a set of instructions to install Google Authenticator on your mobile device and the QR code that you can scan as part of the registration process.

What To Do Next

uaas-multifactor-auth.html#task_pfw_5z2_ydb

Entering One-Time Authentication Code

After you register your applicationw ith UAA account, you can use the generated 6-digit Google Authentication code to complete the second factor of the authentication process.

Procedure

  1. Click Next to use the generated code and complete the authentication process.
    The following screenshot shows the field to enter your 6-digit Google Authenticator code.
  2. Enter your 6-digit code and click Verify to complete the registration process.

Deleting MFA Registration

You can delete the MFA registration for a specific user. The MFA registration for a user is tied with the Google Authenticator application used during MFA configuration. If the user uninstalls the application or switches to a new phone, the UAA account must registered again with a new authenticator application.

  1. Admins can delete the MFA credentials for a user using delete MFA registration API.
    Note: Deleting an MFA provider will delete the MFA registration for all the users for that provider.
  2. Any users with deleted MFA registration must go through MFA Registration process as described in the uaas-multifactor-auth.html#task_lmd_pj2_wdb

.