Secure your SAP Cloud Solutions with hardware-based Two-Factor Authentication
In this blog post I would like to share an update on Two-Factor Authentication (2FA) in Identity Authentication service (IAS). I recently watched a replay of “SAP Business Technology Platform and RISE with SAP Live sessions” hosted by Cecilia Huergo and saw a demonstration of IAS by the product manager Marko Sommer. Marko covered an E2E demo of how SSO can be setup with multiple solutions. One of the capabilities demonstrated was how 2FA can be used within IAS. I would highly recommend to watch the replay here.
2FA has been a popular capability which was been sought after in IAS and with any Identity Provider which is being used with SAP Business Technology Platform (BTP). Currently, IAS supports the below options for 2FA
- Time-based, one time (TOTP) passcode
- SMS PIN
- Web two-factor authentication (FIDO2 standard)
There are many resources which you will find on how to setup TOTP passcode and SMS pin. I have published few blog posts for TOTP passcode and SMS pin. In this blog post, I would like to cover the third option which is based on FIDO2 standard. You can use this approach to secure any of your Cloud Solutions.
Setting up Web Two-Factor Authentication
Web two-factor authentication is based on FIDO2 which is an open authentication standard that enables users to leverage common devices to easily authenticate to online services – For example using USB security key or biometrics.
Image Courtesy from Yubico – USB Security Key
For the purpose of this demo, I have already configured my environment and setup trust between IAS and SAP BTP subaccount which has a Fiori Launchpad. Here is a tutorial which you could use to setup trust between IAS and SAP BTP account.
I have configured an application in IAS for my BTP subaccount called “MFA Showcase”. The 2FA options are within the “Risk-based authentication” settings.
Here you will an option to select all the Two-Factor authentication options.
Once you risk-based authentication is configured with the appropriate rules, you can test them straight away.
As an end user, I can navigate to the profile management page of IAS to view the settings which have been enabled. To view the Profile Management section, please navigate to https://<tenant>.accounts.ondemand.com/ui/protected/profilemanagement
If the end user would like to remove this authentication method and add another one say USB security key, it can be activated from the profile management section too. Hope you found this blog post useful with the setup of 2FA. For any questions on this topic, please raise them in the forum with the relevant tags.
I use this in a demo of the awesome power of using IAS with SAP SuccessFactors. I've linked the log in to SAP SuccessFactors to my fingerprint reader on my MBP. It is soooo cool to demo!
What people may not realise is that this can be used in addition to existing authentication - so if you are using Azure AD for SSO - you can _also_ use MFA in IAS to trigger the additional factor of authentication.
This is cool 🙂
Very informative blog !
Very well presented in Video. Thank you for sharing.
Sushil K Gupta
How could I deleted the 2FA if I lost my phone ore lost my 2FA device?
I think you would have to create a ticket to get that updated
thanks for the article. Is there also an option with FIDO and passwordless authentication available?