Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Enable Multi-Factor Authentication for User Accounts

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that Multi-Factor Authentication is enabled for all IAM user accounts in order to help protect the access to your Oracle Cloud Infrastructure (OCI) resources, applications, and data. MFA provides an additional layer of security on top of existing user account credentials (i.e., user and password). By requiring more than one mechanism to authenticate a user, MFA protects the user login from attackers exploiting stolen or weak credentials. Oracle Cloud Infrastructure supports TOTP authenticator apps such as Oracle Mobile Authenticator and Google Authenticator.

Security

When Multi-Factor Authentication (MFA) is enabled, the user will have to present a minimum of two separate forms of authorization before its access is granted. Having an MFA-protected user account represents an efficient way to safeguard your Oracle Cloud Infrastructure (OCI) resources against malicious actors as attackers would have to compromise at least two different authentication methods in order to gain access, and this reduces significantly the risk of attack.

Audit

To determine if Multi-Factor Authentication is enabled for all users with a console password, perform the following operations:

Using OCI Console

01 Sign in to your Oracle Cloud Infrastructure (OCI) account.

02 Navigate to Identity console available at https://cloud.oracle.com/identity/.

03 In the left navigation panel, choose Domains, and select an OCI compartment from the Compartment dropdown menu, to list all the domains created for that compartment.

04 Click on the name (link) of the domain that you want to examine, listed in the Name column.

05 In the Identity domain navigation panel, choose Security, and select Sign-on policies.

06 Click on the name (link) of the Security Policy for OCI Console sign-on policy. If Security Policy for OCI Console is not available, select the Default Sign-On Policy policy.

07 Choose the rule with the highest priority, click on the Actions menu (i.e., 3-dot icon), select Edit sign-on rule, and choose Continue.

08 Check the Actions configuration section to determine if Multi-Factor Authentication (MFA) is required for IAM user login. If Allow access is not selected and the Prompt for an additional factor setting checkbox is not checked, Multi-Factor Authentication (MFA) is not required. As a result, the authentication process for the IAM user accounts within the selected OCI domain is not MFA-protected.

09 Repeat steps no. 4 - 8 for each domain available in the selected Oracle Cloud Infrastructure (OCI) compartment.

10 Repeat steps no. 3 – 9 for each compartment available within in your OCI account.

Using OCI CLI

01 Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account: 

oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'

02 The command output should return the requested OCI compartment identifiers (OCIDs): 

[
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

03 Run iam domain list command (OSX/Linux/UNIX) to list the OCI domains created for your Oracle Cloud Infrastructure (OCI) compartment: 

oci iam domain list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--query 'data[].["display-name","url"]'

04 The command output should return the name and the endpoint of each OCI domain available in the selected compartment: 

[
	[
		"Project5",
		"https://idcs-aaaabbbbccccddddabcd1234abcd1234.identity.oraclecloud.com:443"
	],
	[
		"Default",
		"https://idcs-aaaabbbbccccddddabcdabcd1234abcd.identity.oraclecloud.com:443"
	]
]

05 Run identity-domains users list command (Windows/macOS/Linux) with output query filters to determine if the Multi-Factor Authentication (MFA) feature is enabled for the IAM users within the specified OCI domain: 

oci identity-domains users list
	--all
	--endpoint 'https://idcs-aaaabbbbccccddddabcd1234abcd1234.identity.oraclecloud.com:443' | jq -r '.data.resources[] | select(."urn-ietf-params-scim-schemas-oracle-idcs-extension-mfa-user"."mfa-status"!="ENROLLED")' | grep -i "user-name"

06 The command output should return the usernames of the OCI IAM users without MFA protection: 

"user-name": "cc-project5-developer",
"user-name": "cc-domain-secops-dev",
"user-name": "cc-iam-access-manager"

If the identity-domains users list command output returns one or more usernames, as shown in the example above, Multi-Factor Authentication (MFA) is not enabled for the listed IAM users. As a result, the authentication process is not MFA-protected for all the IAM users within the selected domain.

07 Repeat steps no. 5 and 6 for each domain available in the selected Oracle Cloud Infrastructure (OCI) compartment.

08 Repeat steps no. 3 – 7 for each compartment available within in your OCI account.

Remediation / Resolution

To enable Multi-Factor Authentication (MFA) for your Oracle Cloud Infrastructure (OCI) IAM user accounts, perform the following operations:

Enabling Multi-Factor Authentication (MFA) for OCI IAM user accounts using Command-Line Interface (CLI) is not currently supported.

Using OCI Console

01 Sign in to your Oracle Cloud Infrastructure (OCI) account.

02 Navigate to Identity console available at https://cloud.oracle.com/identity/.

03 In the left navigation panel, choose Domains, and select an OCI compartment from the Compartment dropdown menu, to list all the domains created for that compartment.

04 Click on the name (link) of the domain that you want to access, listed in the Name column.

05 In the Identity domain navigation panel, choose Security, and select Sign-on policies.

06 Click on the name (link) of the Security Policy for OCI Console sign-on policy. If Security Policy for OCI Console is not available, select the Default Sign-On Policy policy.

07 Choose the rule with the highest priority, click on the Actions menu (i.e., 3-dot icon), select Edit sign-on rule, and choose Continue.

08 In the Actions configuration section, perform the following operations:

  1. Select Allow access to provide IAM user access.
  2. Check the Prompt for an additional factor setting checkbox, select Specified factors only, and choose the authenticators that you want to use. Ensure that Mobile app passcode, Mobile app notification, and Bypass code are selected (recommended).
  3. For Frequency, choose Every time to ensure that IAM users receive an authentication prompt with each login.
  4. For Enrollment, choose Required to require IAM users to enroll in Multi-Factor Authentication.
  5. Check the Consent checkbox, select the appropriate justification, and choose Save changes to apply the configuration changes. Now, all IAM users must use Multi-Factor Authentication (MFA) to sign-in to the OCI console.

09 Anyone signing in to the Oracle Cloud Infrastructure (OCI) console will be prompted to complete the MFA enrollment process using the Oracle Mobile Authenticator app. Once logged in, as an IAM user, you must choose Enable Secure Verification and follow the instructions provided by the Oracle Mobile Authenticator app to complete the MFA enrollment.

10 Repeat steps no. 4 - 9 for each domain available in the selected Oracle Cloud Infrastructure (OCI) compartment.

11 Repeat steps no. 3 – 10 for each compartment available within in your OCI account.

References

Publication date Mar 11, 2025

Related IAM rules