Skip to Content
Technical Articles
Author's profile photo Murali Shanmugham

Secure your SAP Cloud Solutions with hardware-based Two-Factor Authentication

In this blog post I would like to share an update on Two-Factor Authentication (2FA) in Identity Authentication service (IAS). I recently watched a replay of “SAP Business Technology Platform and RISE with SAP Live sessions” hosted by Cecilia Huergo and saw a demonstration of IAS by the product manager Marko Sommer. Marko covered an E2E demo of how SSO can be setup with multiple solutions. One of the capabilities demonstrated was how 2FA can be used within IAS. I would highly recommend to watch the replay here.

2FA has been a popular capability which was been sought after in IAS and with any Identity Provider which is being used with SAP Business Technology Platform (BTP). Currently, IAS supports the below options for 2FA

  • Time-based, one time (TOTP) passcode
  • SMS PIN
  • Web two-factor authentication (FIDO2 standard)

There are many resources which you will find on how to setup TOTP passcode and SMS pin. I have published few blog posts for TOTP passcode and SMS pin.  In this blog post, I would like to cover the third option which is based on FIDO2 standard. You can use this approach to secure any of your Cloud Solutions.

Setting up Web Two-Factor Authentication

Web two-factor authentication is based on FIDO2 which is an open authentication standard that enables users to leverage common devices to easily authenticate to online services – For example using USB security key or biometrics.

                                                   Image Courtesy from Yubico – USB Security Key

For the purpose of this demo, I have already configured my environment and setup trust between IAS and SAP BTP subaccount which has a Fiori Launchpad. Here is a tutorial which you could use to setup trust between IAS and SAP BTP account.

I have configured an application in IAS for my BTP subaccount called “MFA Showcase”. The 2FA options are within the “Risk-based authentication” settings.

Here you will an option to select all the Two-Factor authentication options.

Once you risk-based authentication is configured with the appropriate rules, you can test them straight away.

As you can see above, the system prompts the user to select any of the available 2FA options after providing the initial user name & password. For this demo, I have used the fingerprint scanner on my laptop to be used as a secondary device to authenticate myself.

As an end user, I can navigate to the profile management page of IAS to view the settings which have been enabled. To view the Profile Management section, please navigate to https://<tenant>.accounts.ondemand.com/ui/protected/profilemanagement

If the end user would like to remove this authentication method and add another one say USB security key, it can be activated from the profile management section too. Hope you found this blog post useful with the setup of 2FA. For any questions on this topic, please raise them in the forum with the relevant tags.

Link to SAP Help Documentation

Assigned Tags

      6 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Chris Paine
      Chris Paine

      I use this in a demo of the awesome power of using IAS with SAP SuccessFactors. I've linked the log in to SAP SuccessFactors to my fingerprint reader on my MBP. It is soooo cool to demo!

      What people may not realise is that this can be used in addition to existing authentication - so if you are using Azure AD for SSO - you can _also_ use MFA in IAS to trigger the additional factor of authentication.

      Nice!

       

      Author's profile photo Murali Shanmugham
      Murali Shanmugham
      Blog Post Author

      This is cool 🙂

      Author's profile photo Sushil Gupta
      Sushil Gupta

      Hi Murali,

      Very informative blog !

      Very well presented in Video. Thank you for sharing.

       

      Regards

      Sushil K Gupta

      Author's profile photo Teoman Paylar
      Teoman Paylar

      How could I deleted the 2FA if I lost my phone ore lost my 2FA device?

       

      Regards

      Teoman Paylar

      Author's profile photo Murali Shanmugham
      Murali Shanmugham

      I think you would have to create a ticket to get that updated

      Author's profile photo Timmy Becker
      Timmy Becker

      Hi Murali,

       

      thanks for the article. Is there also an option with FIDO and passwordless authentication available?

       

      BR

      Timmy