Search code examples
oracle-cloud-infrastructure

Adding MFA on OCI gives "can only be enabled by the user" error

I have a similar setup as described in the question I can't enable MFA for Oracle Identity Cloud Service user but a different problem: I cannot enable Multi-Factor Authentication for any user.

On the Oracle Cloud Infrastructure (OCI) console, I do see the "Enable Multi-Factor Authentication" in one of the accounts under Identity >> Users >> User Details. After following all the steps, including scanning the barcode and entering the verification code, when I click the verify button on OCI I get this error: "Multi-factor authentication can only be enabled by the user."

What does this mean? I thought I was the user! I've searched online for this error and looked at documentation, but see no clue.

Solution

  • Managed to enable 2FA! It's a convoluted process, so it's no wonder I was not able to do it before. In a nutshell, the administrator needs to configure the end user account to use MFA, and only after that, the user will be able to "enroll" to use MFA. In my case, the administrator and the end user are the same account.

    First, I went to Identity & Security > Identity > Federation and then clicked on OracleIdentityCloudService which opens another page. Then clicked on the link shown after Oracle Identity Cloud Service Console which opens up a different administration web console.

    There are too many steps to explain here, but on this new console I essentially did the following:

    1. Enabled Mobile App Passcode (under Security > MFA)
    2. Added a new group for MFA (Groups > Add) and included my own user
    3. Added and dragged to the top, a new sign-on policy (Security > Sign-on Policies) to "Prompt for an additional factor" with the condition "And is a member of these groups" (using the group I just created)
    4. Signed out and signed in again
    5. After login, I followed the prompt (screenshot below) and added verification with another authentication app

    enter image description here

    And this time it worked! These steps and screenshots are shown nicely in a medium post, which has different guides for three "different Oracle products". The steps outlined above are for IDCS. The error shown in my original question comes from trying the method for "Old OCI IAM", which might have worked if steps 1 - 3 above had been completed beforehand, but I didn't test it, since I followed the prompt given at login instead.

    I also found an Oracle article that shows some of the steps above, with screenshots as well. Hope this helps people better secure their accounts.