Setting up Two-Factor Authentication (TFA) - Oracle Authenticator

Oracle Authenticator is a multi-factor authentication application developed by Oracle that acts as an additional layer of security by prompting a second factor of authentication during login. Oracle mobile authenticator is available in iOS 12.0+ and Android 5.0+. You can install Oracle Authenticator on your smartphone or tablet devices. The second level of authentication is a one-time password generated by the Oracle authenticator with a 6-digit number.

How does Oracle Authenticator Work with PAM360?

1. A user tries to access the PAM360 web interface
2. As the first factor of authentication, PAM360 authenticates the user through local authentication/AD/Microsoft Entra ID/LDAP
3. PAM360 prompts for the second-factor authentication through the configured Oracle Authenticator
4. The user enters the six-digit code from the Oracle Authenticator GUI
5. PAM360 grants access to the user for the PAM360 web interface for further operations

The following sections will help you to configure and use the Oracle Authenticator as the Two-Factor Authentication (TFA):

1. Configuring TFA in PAM360
2. Enforcing TFA for Required Users
3. Connecting to PAM360 Web Interface when TFA via Oracle Authenticator is Enabled
4. Troubleshooting Tip

1. Configuring TFA in PAM360

1. Navigate to 'Admin >> Authentication >> Two-factor Authentication'.
2. Enable the option Oracle Authenticator and then click Save.
3. Click on Confirm to enforce Oracle Authenticator as the second factor of authentication to PAM360.

2. Enforcing TFA for Required Users

Once you enforce the Oracle - Authenticator as the second factor of authentication, a new window will prompt with the existing PAM360 users details. Select the users for whom the TFA is to be enforced.

1. From here, you can enable or disable the TFA individually or in bulk:
   1. To enable TFA individually, click the Enable button beside their respective username.
   2. To enable TFA in bulk, select the required usernames and click the Enable button at the top of the users' list.
   3. Similarly, follow the above steps with the Disable button to disable the TFA for the respective users.
   
2. You can also enable/disable TFA for the users later by navigating to 'Users >> More Actions >> Two-factor Authentication'.

3. Connecting to PAM360 Web Interface with Enabled Oracle TFA

3.1 Prerequisite

Before you log in to PAM360, install the Oracle Authenticator application on your smartphone or tablet. Oracle Authenticator officially supports Android, iPhone, and iPad devices. To install, and to know more about Oracle Authenticator, click here.

3.2 Connecting to the PAM360 Web Interface

As mentioned in the above section, for the TFA-enabled users, the first level of authentication will be through the usual authentication, i.e., the users have to authenticate through PAM360's local authentication or AD/Microsoft Entra ID/LDAP authentication. Follow the below steps to configure the PAM360 account in the Oracle Authenticator during the initial login for TFA:

1. Upon launching the PAM360 web interface, the user has to enter the local authentication credentials or Microsoft Entra ID/AD/LDAP password to log in to PAM360 and click Login.

2. If you log in to PAM360 for the first time after enabling TFA through Oracle Authenticator, you will be prompted to associate it with your PAM360 account. Follow the below steps to associate Oracle Authenticator with your PAM360 account:
   1. Launch the Oracle Authenticator application on your mobile device/tablet.
   2. Tap the '+' button or click Add Account.
   
   3. Then, point your device to the QR code shown in the PAM360 GUI to scan the QR code to add the account. This will automatically configure Oracle Authenticator and will start generating authentication codes for PAM360.
   4. After completing this, enter the current token for authentication in the text box.
   
3. If you have trouble scanning the QR code, the automatic setup will not work. Alternatively, you can carry out the following manual steps in the Oracle Authenticator application to complete the configuration process:
   1. Click the text 'I have trouble scanning this barcode!' present below the barcode in the PAM360 GUI.
   2. From the Oracle authenticator application, tap the '+' button or click Add Account.
   3. Tap the Enter key manually and select the Account Type as Others.
   4. Enter the Account name and the Key and click Save. The Key is the alphanumeric key shown in the PAM360 GUI.
4. Oracle Authenticator is now configured and will start generating the authentication codes periodically. Enter the current generated code to continue logging into PAM360.

4. Troubleshooting Tip

As you know, the Oracle Authenticator is associated with your PAM360 account. If you lose your mobile device/tablet or accidentally delete the Oracle - Authenticator app from your device, you will still be able to get the generated codes to log in to PAM360. In such scenarios,

1. Click the link "Have trouble using Oracle Authenticator?" on the PAM360 login screen.
2. You will be prompted to enter your PAM360 Username and the Email address associated with PAM360.
3. You will receive instructions to get Oracle Authenticator again via the above-mentioned Email.