In today’s landscape where security and user experience are paramount, Oracle Fusion Applications fully supports cutting-edge authentication technologies from identity providers (IDPs) like Oracle Cloud Infrastructure (OCI) Identity and Access Management (IAM) identity domains. This approach enables users to authenticate using secure passwordless methods, enhancing security measures and improving the overall user experience.

The shift toward passwordless authentication

Passwordless authentication eliminates the need for traditional passwords, which are often susceptible to breaches and phishing threats. By using biometric data or security keys, passwordless authentication strengthens security, simplifies user access, and reduces the burden of managing complex passwords. These benefits reduce the risk of a stolen passwords while enhancing the overall user experience.

FIDO: The new standard for phishing resistance

The Fast Identity Online (FIDO) Alliance has set the standard for passwordless authentication, emphasizing strong, cryptographic methods that are robust, easy to use, and resistant to threats like phishing. This FIDO-based authentication approach leverages public key cryptography, where the user’s device generates a key pair during registration. The private key is securely stored on the user’s device, and the public key is registered with the service provider. Because the private key never leaves the user’s device, it’s protected from interception or stolen, even in the case of fraudulent login attempts or links. Using OCI IAM identity domains, Fusion Applications supports device biometrics, such as Windows Hello and Apple Touch ID, and cross-platform authenticators like YubiKey as authentication factors.

FIDO authentication is phishing-resistant for the following reasons:

• No passwords exchanged: With FIDO, no passwords are exchanged between the user and the service. Without passwords, threat actors can’t steal credentials through spoofed websites or phishing emails.
• Domain-specific authentication: FIDO keys are bound to a specific service, meaning that authentication keys cannot be used to authenticate to different, fraudulent, or unauthorized services.
• Device-based verification: FIDO relies on hardware-based authenticators, such as security keys or biometric sensors on smartphones, which are nearly impossible for threat actors to replicate or forge.

OCI IAM identity domains: The backbone of secure authentication

OCI IAM serves as the identity provider for Fusion Applications, becoming a cornerstone for managing identities and access within Oracle Fusion Applications. It provides a comprehensive platform for implementing a wide range of authentication methods, including passwordless and FIDO-based options, making the service integral to a secure authentication strategy. By integrating these technologies, OCI IAM enables organizations in the following ways:

• Strengthen security: By eliminating passwords, the risk of credential theft is significantly reduced. FIDO-based authentication further strengthens security by using cryptographic key pairs (passkeys) to authenticate to the application and these are resistant to phishing attempts.
• Improve the user experience: Users benefit from a seamless login experience with familiar methods, such as fingerprints, facial recognition, or hardware tokens, which are more convenient than typing passwords.
• Simplify management: OCI IAM centralizes management of authentication policies, enabling administrators to easily configure and enforce security settings across the organization.
• Improve auditability and governance: OCI IAM extends auditing and governance capabilities to meet the unique requirements specific to any organization by providing comprehensive oversight and compliance.

Implementing passwordless and FIDO-based authentication in Oracle Fusion Applications

To implement passwordless and FIDO-based authentication in Oracle Fusion Applications, use the following steps:

1. Set up an OCI IAM identity domain: Configure OCI IAM as the identity provider for Fusion Applications and enable multifactor authentication (MFA).
2. Configure authentication factors: Set up FIDO and mobile-based MFA factors in in the Oracle Cloud Console.
3. Enable passwordless authentication: Activate the “Enable UserName First” option in OCI IAM to support passwordless authentication.
4. Set up a sign-on policy: Create the policy to enforce the use of FIDO and mobile app notifications or passcode.
5. Configure default IdP settings: Disable the Chooser Page and set OCI IAM as the default IdP for Fusion Applications to prevent UI-based users from authenticating with local accounts.
6. Restrict basic authentication: Apply a WAF policy to prevent basic authentication (using only username-password) for all accounts in Fusion Applications. 
7. User rollout: Users must register their devices by logging into Oracle Fusion Applications through their OCI IAM identity domain, setting up their preferred authentication methods, such as Windows Hello, Apple Touch ID, or Yubikey, and configuring a mobile app-based authentication factor.
8. User authentication: After registration, users can seamlessly authenticate using their mobile app and a FIDO factor, gaining access to Oracle Fusion Applications without relying on traditional passwords.