- Enable network connection to Applaud Cloud
- Setup your Twilio account
- Set the Twilio API key
- Define who is required to use two-factor authentication
- Limit registration phone types
- Review the Oracle session timeout settings
- Schedule the 'De-register end-dated 2FA users' program
1. Enable network connection to Applaud Cloud
To communicate with Twilio, the app will require a network connection to Applaud Cloud. See Enable network connectivity to Applaud Cloud.
2. Setup your Twilio account
- Require billing details configured to cover SMS charges
- Provide access to end-user details who have registered for two-factor authentication
- Sign up at the above location, and skip the introduction so you're taken straight to the dashboard.
- In the search box, type authy and select the Build with Authy option under the Authy category.
- In the Build with Authy setup steps, verify a phone number.
- In the second step, enter a friendly name for the application. For example, you could use Applaud.
- Select Create Application, and at this point, you no longer need to continue using the setup wizard. Instead, select Applications under the Authy menu on the left.
- Select the application you have just created, for example, Applaud and select the Settings option under the application sub-menu.
- Here you'll see the Production API Key. View this key and copy it (you'll need it for step 3). Be sure to keep this secure!
- Scroll down to TOTP Settings and change the OTP Length from 7 digits to 6 digits.
- Disable the Installation Message option, Disable the Authentication via Phone Call option, and then Enable the Force SMS option, and select Save at the bottom.
3. Set the Twilio API key
4. Define who is required to use two-factor authentication
- Log in and navigate to the Functional Administrator responsibility.
- On Security: Grants, select Create Grant and enter the name. For example, "Applaud 2FA Grant to All Users - Applaud Two-Factor required".
- Enter the Effective Start date and leave the Effective End Date blank.
- In the Grantee type, specify All Users if you want all users to use two-factor authentication, or specify Group of Users if you want 2FA only for certain roles or responsibilities. You could also use it for a Specific User if you wanted to name super users to be 2FA secured.
- In the Grantee, specify the name of the role or responsibility (if Group of Users) or the name of a specific user (if Specific User). If you've selected All Users, you do not need to complete this.
- Under Data Security, set the Object to Applaud FND User and select Next.
- If you wish to specify an Instance Set, set that here, and select Next to the last step.
- In the Permission Set, select Applaud Two-Factor Required and Finish.
- Clear the cache: Functional Administrator: Core Services: Caching Framework: Global Configuration: Clear All Cache: Confirm
You can continue to create multiple grants if you wish to grant using multiple combinations.
5. Limit registration phone types
When a user registers for two-factor authentication, they can pick the Phone Type they wish to use for their registration number. By default, the app will show all phone types that you've configured.
If you wish to change these default phone types, you can use form personalization to adjust the available phone types. To do this:
- Register an Edit personalization Fast Formula against the registration form
- In this Fast Formula, override the list provider for the Phone_Type field. For example: Phone_Type_List_Provider = 'XXX_My_Custom_Value_Set'
- Be sure to return this at the end of your Fast Formula
6. Review the Oracle session timeout settings
Poor experience alert: we strongly recommend against asking users to re-authenticate using two-factor authentication at very frequent intervals. This will be a frustrating and annoying experience and will likely reduce usage.
7. Schedule the 'De-register end-dated 2FA users' program
This process deactivates the Twilio user. It does not remove the Twilio user completely. Twilio does not have any way to remove users except for logging into the console and removing them by hand. This means that if an ex-employee rejoins and re-registers for two-factor authentication using the same phone number as before, their existing deactivated Twilio account is reactivated.