UAA will now support stronger forms of authentication. This is meant to be used in conjunction with a primary mechanism like password authentication. Currently, UAA supports TOTP based secondary authenticators like Google authenticator. Several mobile apps are available which allow you to generate verification codes. Typically, any app supporting Time-based One-Time Password (TOTP) protocol will work. UAA has been tested to work with Google Authenticator.
MFA providers are scoped to an IdentityZone in UAA. The first step to setting up MFA for a UAA Zone is to create an MFA provider in that zone. UAA will have the capability to onboard several secondary authenticators like YubiKey, RSA SecureID, Google Authenticator, Duo Security. Currently, only Google authenticator will be recognized. To create one of this type, please use
API to Create an MFA provider.
This is typically a one time operation, although the same provider can be updated or more providers of different types can be added per zone, when UAA starts supporting the same.
MFA providers are enabled/disabled at the zone level.
Enabling MFA is done by setting mfaConfig property in the IdentityZone configuration. Update Identity Zone config. Please note that the providerName is the unique name of the provider used at the time of creation. When enabled, all the users in the given zone will have to go through password + google authenticator to successfully authenticate with UAA.
To disable MFA for a given zone, the zone admin only needs to update the IdentiyZone configuration by setting mfaConfig property to false.
The MFA provider created earlier need not be modified/deleted.
When authenticating with UAA, the user will provide their primary authentication (password) like before. Then, they will be redirected to the MFA registration (first time) or code page.
To start using Google Authenticator, every user will have to register their phone application with their UAA account. This is typically done by scanning a QR code that is shown to them.
Once the user has registered their application with their UAA account, they can now use the generated code to complete the second step of their authentication.
Like we've seen above, the MFA registration for a user is tied with the google authenticator app that was used during setup. If the user uninstalls the app or changes to a new phone for example, the UAA account needs to be registered again with the new authenticator application. To do this, an admin can delete the mfa credentials for this user using Delete MFA registration API. The user then goes through first time user step as above. In the future, user will be able to do this as a self-service by using something a recovery code. Deleting an MFA provider will delete MFA registration for all the users for that provider.
Contributors
112 People are following this .
