In this blog post I would like to share an update on Two-Factor Authentication (2FA) in Identity Authentication service (IAS). I recently watched a replay of "
SAP Business Technology Platform and RISE with SAP Live sessions" hosted by
chuergo16 and saw a demonstration of IAS by the product manager
marko.sommer. Marko covered an E2E demo of how SSO can be setup with multiple solutions. One of the capabilities demonstrated was how 2FA can be used within IAS. I would highly recommend to watch the replay
here.
2FA has been a popular capability which was been sought after in IAS and with any Identity Provider which is being used with SAP Business Technology Platform (BTP). Currently, IAS supports the below options for 2FA
- Time-based, one time (TOTP) passcode
- SMS PIN
- Web two-factor authentication (FIDO2 standard)
There are many resources which you will find on how to setup TOTP passcode and SMS pin. I have published few blog posts for
TOTP passcode and
SMS pin. In this blog post, I would like to cover the third option which is based on FIDO2 standard. You can use this approach to secure any of your Cloud Solutions.
Setting up Web Two-Factor Authentication
Web two-factor authentication is based on
FIDO2 which is an open authentication standard that enables users to leverage common devices to easily authenticate to online services - For example using USB security key or biometrics.
Image Courtesy from
Yubico - USB Security Key
For the purpose of this demo, I have already configured my environment and setup trust between IAS and SAP BTP subaccount which has a Fiori Launchpad. Here is a
tutorial which you could use to setup trust between IAS and SAP BTP account.
I have configured an application in IAS for my BTP subaccount called "MFA Showcase". The 2FA options are within the "Risk-based authentication" settings.
Here you will an option to select all the Two-Factor authentication options.
Once you risk-based authentication is configured with the appropriate rules, you can test them straight away.
As you can see above, the system prompts the user to select any of the available 2FA options after providing the initial user name & password. For this demo, I have used the fingerprint scanner on my laptop to be used as a secondary device to authenticate myself.
As an end user, I can navigate to the profile management page of IAS to view the settings which have been enabled. To view the Profile Management section, please navigate to
https://<tenant>.accounts.ondemand.com/ui/protected/profilemanagement
If the end user would like to remove this authentication method and add another one say USB security key, it can be activated from the profile management section too. Hope you found this blog post useful with the setup of 2FA. For any questions on this topic, please raise them in the forum with the relevant tags.
Link to SAP Help Documentation