Getting Started with SAP Cloud Identity Service with MFA and TOTP
In this blog post you are going to learn how to enable Multi-Factor Authentication using TOTP (Time-based one-time password) for Platform and Business Users.
This is a follow-up to my first blog about getting started.
What is Multi-Factor Authentication (MFA)?
Multi-Factor Authentication can be described as “An authentication mechanism that requires more than one distinct authentication factor for successful authentication”.
When a user authenticates to IAS, the user must provide valid credentials consisting of either one or multiple factors. It uses variety of factors and information, to verify the user identity. Many earlier systems use one factor, like a username/ password also called as basic authentication.
Now to strengthen the authentication process we use MFA which acts as another layer of security for users and reduce the risk of unauthorized access.
What is Time-based One-Time Password (TOTP)?
A Time-based One-Time Password (TOTP) is a numerical code which is generated with a standard algorithm that uses the current time and a key as input. It is user friendly and available offline in a generator application of the user’s choice- usually on a mobile device. It appears as six-digit numbers that regenerate every 30 seconds.
The Multi-Factor Authentication option in the administration console should be switched on for the users to provide enable MFA in their profile page.
MFA for all applications in a Tenant
The administrator can define rules according to different risk factors and apply actions like Allow, Deny and Two -Factor Authentication for all applications in the tenant.
For more information refer the link
MFA for the Administrators
The tenant Administrator must configure the Two-Factor Authentication in IAS in the admin console for any user.
Go to User Management -> Select the <admin user> who needs the MFA enabled.
Select the user -> Go to Authentication -> Multi-Factor Authentication here, I selected my user.
Set MFA status as ON
MFA for the Users
The users can also setup MFA for applications/solutions. I have created an application for this blog called “MFA for SFSF”. User can select the Application -> Authentication and Access -> and click on Risk-Based Authentication.
Here the user can select from the list of Two-Factor authentication methods like TOTP, Web Authentication and E-Mail OTP Code, you can select one or multiple options.
Once the configuration is complete, the system prompts the user to select any of the available options after the initial username and password are provided.
The user profile shows you the authentication methods setup for a user, you can access it through the link https://<tenant>.accounts.ondemand.com/ui/protected/profilemanagement
Here you can add/remove your authentication method, like accessing using your fingerprint etc.
Enable MFA across the Tenant
Access the admin console using the URL: https://<tenant ID>.accounts.ondemand.com/admin
Go to Applications & Resources -> Tenant Settings -> Choose Multi-Factor Authentication -> Enable (ON)
The system message is displayed “Multi-Factor authentication updated”.
SAP Authenticator App & configure TOTP
Once the configuration is changed to MFA, the application requires TOTP for two-factor authentication. Here we will use the default SAP app (SAP Authenticator) available on the iOS Appstore / Android Play store.
You can also use any other third-party authenticator app like Microsoft Authenticator or the Google Authenticator.
Once you download and install the app, follow the self-guided steps to setup TOTP.
Download this from the App Store or the Play Store.
Open the app and Start the Setup
Log out from the existing session and when you login back, you would get the following message
Click on Activate, it will take to the profile page of the IAS tenant.
In the App, Click on Add Account and scan the QR code displayed in the initial login of the IAS tenant.
After which you will have an account added in the App and it would generate the one-time passcode, enter this in the “Passcode” field on the login page.
Finally, you can log on to the application using passcode (TOTP) as your authentication.
To deactivate MFA for the User/Admin
You can use the following option to deactivate MFA.
To reset MFA when the Authenticator app is uninstalled / Phone Lost
Yes, the tenant Admin can decide whether he/she wants to allow self-service reset options or deactivate the passcode for the tenant.
If the tenant has many users, the admin can decide this to be a self-service.
Is the only possibility to reset the MFA to delete the user in IAS and add again?
One has to a support incident for the admin to unlock and reset for a new MFA Or if a user lost the mobile then that should be reported immediately to admin.
The admin can only unlock/unregister an MFA device but not arrange/configure a new one for the user.
Please check the Administration Guide from
Identity Authentication service documentation
TOTP Two-Factor Authentication
Note: Please share your feedback or thoughts in a comment below or ask questions in the Q&A tag area here about SAP Cloud Identity Service