9-2 Oracle Fusion Middleware Administrators Guide for Oracle Adaptive Access Manager

9.1.2 About Out-of-Band OTP Delivery

Oracle Adaptive Access Manager 11g contains one time password authentication capabilities that support delivery of the OTP via the following four out-of-band channels: ■ email ■ SMS ■ voice messaging ■ instant messaging By default, only cell phone registration is displayed on the OTP Registration page. 9.1.3 How Does OTP Work? During the Registration process in OAAM, the user is asked to register for questions, image, phrase and OTP email, phone, and so on if the deployment supports OTP. Once successfully registered, OTP can be used as a secondary authentication to challenge the user. The administrator can enable the OTP if the deployment supports OTP. The login process begins with entering standard user name and password credentials. During a session, for example, when the user is making a large transaction, if the user is OTP-challenged, the password is delivered to the user through the configured delivery channel. The user retrieves the one-time password, then enters it. If the correct answer is provided, the user is directed to continue with the operation. If the user answers incorrectly, he is allowed other attempts until he either answers correctly or is locked out of his account after a certain number of failures. By default, the user is allowed three attempts to provide the correct answer.

9.1.4 OTP Failure Counters

The failure counter is incremented when the user supplies an incorrect answer during an OTP-challenge. OTP failures are counted across sessions. Whether the user is locked out after a number of successive OTP failures or needs to try providing the OTP again depends on the failure counter value, the maximum number for OTP challenges set by the administrator. When the failure counter exceeds this value, the user is OTP Locked with no further opportunity for another attempt to answer. If the user is OTP-locked, he can call the Customer Service Representative to become unlocked. When the correct OTP is provided by the user, the failure counter is reset to 0 and the user is allowed to proceed with the operation.

9.2 Challenge Type

The challenge type is the delivery channel used to send an OTP to the user. For example, policies can challenge using OTP via the challenge type email, SMS, IM, or Voice. Setting Up OTP Anywhere 9-3 An integrator can create or configure a challenge type to handle a challenge that is required, such as generating the secret used for the challenge to delivering the secret to the user and finally validating the users input.

9.3 KBA vs. OTP

Oracle Adaptive Access Manager deployments may choose to use both KBA and OTP or each separately or no challenge mechanisms at all. If both KBA and OTP are being used in a deployment, the security team may choose to use OTP first for high risk situations and then fall back on KBA. For example, a user logging in from a new IP in a city he often logs in from is relatively low risk on its own, so a KBA challenge is a good option to gain additional verification that this is the valid user. If, however, a user is attempting a funds transfer of more than 1000 using a device and location he has never accessed from previously and the user has never performed a transfer, a stronger measure such as OTP Anywhere would be warranted. If a customer has both KBA and OTP enabled, the priority is configurable through properties. The default is to OTP challenge first and then KBA challenge for high risk situations. For information on KBA and OTP Anywhere priority, see Table 11–22, OAAM Challenge Trigger Combinations .

9.4 Quick Start

The first step in starting to use OTP Anywhere is to enable it using the Properties Editor in OAAM Admin. This checklist provides you with the basic steps for enabling OTP Anywhere out of the box. Included are links to pertinent documentation and prerequisites. Table 9–1 OTP Challenge Types Challenge Type Description ChallengeEmail OTP challenge via email ChallengeSMS OTP challenge via SMS ChallengeIM OTP challenge via instant messaging ChallengeVoice OTP challenge via voice 9-4 Oracle Fusion Middleware Administrators Guide for Oracle Adaptive Access Manager

9.5 Setting Up OTP Anywhere

This section contains details for advanced set up of OTP Anywhere and discusses the following topics: ■ Setup Overview ■ Configure UMS ■ Configuring UMS Server URLs and Credentials ■ Enabling and Defining the OTP Challenge ■ Configuring Policies and Rules to Use OTP Challenge ■ Enabling Registration and Preferences ■ Customizing Registration Fields and Validations ■ Customizing Terms and Conditions ■ Customizing Registration Page Messaging ■ Customizing Challenge Page Messaging ■ Customizing OTP Message Text ■ Configuring OTP Presentation Table 9–2 Quick Start for Enabling OTP Out of the Box Task Details 1 Enable OTP Anywhere Registration OTP Challenge is not enabled by default. It has to be enabled by setting the following properties to true: ■ bharosa.uio.default.register.userinfo.enabled Setting this property to true enables OTP profile in the registration flow ■ bharosa.uio.default.userpreferences.userinfo.ena bled Setting this property to true enables the OTP profile in User Preferences 2 Make SMS Challenge Type Available. Enable the SMS Challenge Type by setting the following property to true: bharosa.uio.default.challenge.type.enum.Challenge SMS.available This makes it possible for the policies to challenge using OTP via SMS. 3 Configure UMS URLs and Credentials. Set the following properties: ■ bharosa.uio.default.ums.integration.webservice - UMS Web service URL ■ bharosa.uio.default.ums.integration.parlayx.endp oint - UMS ParlayX URL ■ bharosa.uio.default.ums.integration.useParlayX=f alse - Configures use of Web service or parlayx API. Value is false by default preferred. ■ bharosa.uio.default.ums.integration.userName - UMS integration user name ■ bharosa.uio.default.ums.integration.password - UMS integration password