Thursday, July 20, 2023

Navigating Multi-Factor Authentication (MFA) for Oracle Cloud Infrastructure (OCI) - A Guide for Customers


As part of its ongoing commitment to enhancing security measures, Oracle Cloud Infrastructure (OCI) has announced the implementation of Multi-Factor Authentication (MFA) for all customers. This move is aimed at bolstering the protection of sensitive data and safeguarding against potential security threats.

OCI MFA Policy Overview: The MFA policy, named "Security Policy for OCI Console," will be created by Oracle for customers who do not have Single Sign-On (SSO) configured. The activation of this policy will be carried out in batches, commencing from 20th July. This includes both recently migrated customers to OCI Gen2 and existing OCI customers.

How to avoid MFA:

While MFA is highly recommended for its added layers of security, some customers may have concerns or queries about its implementation. In this blog, we will delve into the details of Oracle's MFA policy for OCI and explore the available options for customers to navigate this change effectively. We recommend following two options:


Option 1: 

Activate Policy and Exclude Users One approach to handle the MFA activation is to keep only essential users under the policy, leaving out others. Here's how you can execute this option:

  1. Create an Identity Domain Administrator User: Start by creating a new admin user, who will have the authority to manage the MFA policy and other administrative tasks. Once the admin user is in place, exclude all other users from the MFA policy. This ensures that only authorized administrator will be affected by the MFA requirement.
  2. Create a Temporary User: To effectively implement the policy, select a temporary user as the sole entity subject to MFA. This approach allows you to thoroughly test the MFA workflow while minimizing its impact on users.

Option 2: 

Deleting the MFA Policy For customers who wish to avoid MFA activation altogether, Oracle has confirmed that once the MFA policy is deleted, it will not be recreated. Here's how you can proceed with this option:

  1. Identity Domain Administrator Privilege: Ensure that the user is Identity Domain Administrator to delete policies.
  2. Deleting the MFA Policy: The Identity Domain Administrator can then proceed to delete the MFA policy, effectively bypassing MFA requirements for all users.


Multi-Factor Authentication (MFA) is a vital aspect of modern cybersecurity, providing an extra layer of protection for cloud infrastructure and user accounts. While Oracle Cloud Infrastructure (OCI) implements MFA to enhance security, customers have the flexibility to choose from two available options to navigate this change effectively. Whether it is configuring MFA for a select group of users or opting to delete the policy altogether, customers can make informed decisions based on their unique security requirements.

Remember, while MFA may cause initial concerns, its implementation will provide peace of mind and strengthen the overall security posture of your organization's OCI infrastructure. Stay safe, secure, and ahead in the cloud journey!


No comments:

Post a Comment