lacework-global-674
1.7 Enable Multi-Factor Authentication (MFA) for all users with console password capability (Automated)
Description
Multi-factor authentication is a method of authentication that requires the use of more than one factor to verify a user's identity. With MFA enabled in the Identity and Access Management (IAM) service, when a user signs in to Oracle Cloud Infrastructure, they must provide their user name and password, which is the first factor (something that they know). The user is then prompted to provide a verification code from a registered MFA device, which is the second factor (something that they have). The two factors work together, requiring an extra layer of security to verify the user's identity and complete the sign-in process. OCI IAM supports two-factor authentication using a password (first factor) and a device that can generate a Time-based One-time Password (TOTP) (second factor). See OCI documentation (https://docs.cloud.oracle.com/en-us/iaas/Content/Identity/Tasks/usingmfa.htm) for more details.
Remediation
Each user must enable MFA for themselves using a device they have access to every time they sign in.
An administrator cannot enable MFA for another user but can enforce MFA by identifying the list of non-complaint users, notifying them or disabling access by resetting the password for non-compliant accounts.
Disabling access from Console:
Login into OCI Console.
Select Identity from Services menu.
Select Users from Identity menu.
Click each non-compliant user.
Click Reset Password.
From CLI:
oci iam user ui-password create-or-reset --user-id <Oracle Cloud Identifier (OCID) of the non-compliant user>
References
https://docs.cloud.oracle.com/en-us/iaas/Content/Identity/Tasks/usingmfa.htm
https://docs.oracle.com/en-us/iaas/Content/Security/Reference/iam_security_topic-IAM_MFA.htm
https://docs.oracle.com/en-us/iaas/cloud-guard/using/detect-recipes.htm#detect-recipes-ref-config__NO_MFA_ENABLED_FOR_USER