Configuring Passwordless Login using Configurable Challenges

Configurable Challenges is a feature of Oracle Universal Authenticator (OUA) that allows passwordless login within a configurable time window. Administrators can customize the methods of second factor authentication that are allowed to use passwordless login, and the duration of the time window.

For example, when a user logs into their device, they login with their OAM credentials, followed by authentication using a second factor. With configurable challenges a user can skip entering their OAM password if they last logged in, or performed a second factor only login, within a specified time window.

In order to configure configurable challenges, administrators can set the following parameters within Oracle Advanced Authentication:

Parameter Default Value Description
oua.drss.skipPrimaryAuthDurationWithLastFullAuth 1800 seconds (30 minutes) Specifies the time duration from the last full OAM login. If the last full OAM login is within this time duration, the user will not be prompted for their OAM password, and will be allowed to authenticate using only the second factor. Once the duration elapses, the user will be prompted to enter their full OAM credentials, followed by a second factor.
oua.drss.skipPrimaryAuthDurationWithLastMFAOnlyAuth 600 seconds (10 minutes) Specifies the time duration from the last successful second factor only login time. If the user performed a second factor only login within this time duration, the user will not be prompted for their OAM password, and will be allowed to authenticate using only the second factor. When their duration elapses, the user will be prompted for their OAM credentials, followed by a second factor.
oua.drss.skipPrimaryAuthFactorTrustLevel 3

Specifies the trust level value for skip password rule evaluation.

The trust level determines which factors are allowed to perform a passwordless login within the oua.drss.skipPrimaryAuthDurationWithLastFullAuth and oua.drss.skipPrimaryAuthDurationWithLastMFAOnlyAuth time periods.

The default trust levels are as follows:
  • Trust Level 1 = SMS Challenge
  • Trust Level 2 = Yubico Yubikey TOTP, OMA TOTP
  • Trust Level 3 = Email Challenge
  • Trust Level 4 = Push Notification Challenge

For example, if TrustLevel=3, then all those factor assigned level 3 or higher are allowed to perform passwordless login.

Administrators can change the trust level for individual factors using the bharosa.uio.default.challenge.type.enum.{FACTOR_KEY}.oua.trustLevel parameters outlined in the rows below.

Note:

FIDO2 and Security Question challenge is not currently supported with Oracle Universal Authenticator.
bharosa.uio.default.challenge.type.enum.ChallengeSMS.oua.trustLevel 1 Sets the trust level for the SMS Challenge.
bharosa.uio.default.challenge.type.enum.ChallengeOMATOTP.oua.trustLevel 2 Sets the trust level for the OMA TOTP Challenge.
bharosa.uio.default.challenge.type.enum.ChallengeYubicoOTP.oua.trustLevel 2 Sets the trust level for the Yubikey Yubico OTP Challenge.
bharosa.uio.default.challenge.type.enum.ChallengeEmail.oua.trustLevel 3 Sets the trust level for the Email Challenge.
bharosa.uio.default.challenge.type.enum.ChallengeOMAPUSH.oua.trustLevel 4 Sets the trust level for the OMA Push Challenge.
oua.drss.allowPrimaryAuthDuringMFAOnly true Determines whether the user is given the option to login with their OAM password during a second factor only login.

For details on how to set these parameters using REST API's, see Configuration Properties for OUA in Configuration Properties for OAA.

The following examples show the authentication flow based on the default values for the above parameters:

Example 1:

  • A user logs in at 9 AM with their OAM credentials, and uses the Email challenge as a second factor to authenticate.
  • The user locks their machine at 9.15 AM.
  • The user unlocks their machine at 9.20 AM and enters their OAM username.
  • The user did not authenticate with only a second factor in the last 10 minutes, (oua.drss.skipPrimaryAuthDurationWithLastMFAOnlyAuth=10).
  • The user did however perform a full login with their OAM credentials 20 minutes ago, which is inside the 30 minute window (oua.drss.skipPrimaryAuthDurationWithLastFullAuth=30).
  • The user is therefore allowed to use passwordless login using any registered second factor at trust level 3 or above (oua.drss.skipPrimaryAuthFactorTrustLevel=3), for example Email Challenge (bharosa.uio.default.challenge.type.enum.ChallengeEmail.oua.trustLevel=3) or Push Notification Challenge (bharosa.uio.default.challenge.type.enum.ChallengeOMAPUSH.oua.trustLevel=4).

Example 2

  • A user logs in at 9 AM with their OAM credentials, and uses the SMS challenge as a second factor to authenticate.
  • The user reboots their machine at 9.15 AM.
  • The user attempts to login to their machine at 9.20 AM.
  • The user enters their OAM username.
  • The user did not authenticate with only a second factor in the last 10 minutes, (oua.drss.skipPrimaryAuthDurationWithLastMFAOnlyAuth=10).
  • The user did however perform a full login with their OAM credentials 20 minutes ago, which is inside the 30 minute window (oua.drss.skipPrimaryAuthDurationWithLastFullAuth=30).
  • The user is therefore allowed to use passwordless login using any registered second factor at trust level 3 or above (oua.drss.skipPrimaryAuthFactorTrustLevel=3), for example Email Challenge (bharosa.uio.default.challenge.type.enum.ChallengeEmail.oua.trustLevel=3) or Push Notification Challenge (bharosa.uio.default.challenge.type.enum.ChallengeOMAPUSH.oua.trustLevel=4). The user cannot use the SMS challenge again because that is at trust level 2 (bharosa.uio.default.challenge.type.enum.ChallengeSMS.oua.trustLevel=2).
  • If the user does not have not have a registered factor at trust level 3 or above, they cannot perform a passwordless login and are asked to login with their full OAM credentials, and then authenticate with any registered second factor.
Example 3
  • A user logs in at 9 AM with their OAM credentials, and uses the Push Notification challenge as a second factor to authenticate.
  • The user locks their machine at 9.05 AM.
  • The user unlocks their machine at 9.25 AM and enters their OAM username.
  • The user did not authenticate with only a second factor in the last 10 minutes, (oua.drss.skipPrimaryAuthDurationWithLastMFAOnlyAuth=10.
  • The user did however perform a full login with their OAM credentials 25 minutes ago, which is inside the 30 minute window (oua.drss.skipPrimaryAuthDurationWithLastFullAuth=30).
  • The user is therefore allowed to use passwordless login and is only asked to authenticate with the Push Notification Challenge.
  • The user locks their machine again at 9.30 AM.
  • The user unlocks their machine at 9.32 AM and enters their OAM username.
  • The user did authenticate with only a second factor in the last 10 minutes, (oua.drss.skipPrimaryAuthDurationWithLastMFAOnlyAuth=10
  • The user is therefore allowed to use passwordless login using any registered second factor at trust level 3 or above (oua.drss.skipPrimaryAuthFactorTrustLevel=3), for example Email Challenge (bharosa.uio.default.challenge.type.enum.ChallengeEmail.oua.trustLevel=3) or Push Notification Challenge (bharosa.uio.default.challenge.type.enum.ChallengeOMAPUSH.oua.trustLevel=4).
  • The user authenticates with the Push Notification Challenge and locks their screen again at 9.40 AM.
  • The user unlocks their screen again at 10 AM and enters their OAM username.
  • The user did not authenticate using only a second factor in the last 10 minutes, (oua.drss.skipPrimaryAuthDurationWithLastMFAOnlyAuth=10, nor did they perform a full login with their OAM credentials in the last 30 minutes (oua.drss.skipPrimaryAuthDurationWithLastFullAuth=30).
  • The user is therefore asked to login with their full OAM credentials, and then authenticate with any registered second factor.