Skip to Main Content
Feature Request FR-4165
Product Area Security
Status OPEN

20 Voters

Make it easy for developers to add security key and authenticator app verification into their APEX applications

jkerr Public · Dec 22 2024

Idea Summary
Make it easy for developers to include security key and authenticator app user authentication capabilities into the APEX applications they build.  Note this is for the applications we build, not application builder or other oracle tools (which would be important as well).

Use Case
The hacking of the phone systems and FBI warnings not to use 2FA make inclusion of security key and authenticator app security options in applications we build critical to reduce the risk of breach.  Presently inclusion of these security features is very difficult to do, but it should be simple to encourage widespread adoption.  It is so critical that it should be the highest priority.

Preferred Solution (Optional)
Offer plugin components for interacting with the authenticator app and/or security keys, and/or sample login app that collects key and authenticator app responses to be used whether application authentication is oracle or application based.  In the interim offer clear set by step documentation on how to add the functionality now no matter how difficult.

This idea is open.

Comments

Comments

  • carsten.czarski APEX Team OP 3 days ago

    Using Social Sign In or SAML to integrate with an external login server (which provides all that) is not an option? In companies there is typically an enterprise login solution available, isn't it?

  • joep.hendrix OP 2 days ago

    Just basic authenticator verification (like Google Authenticator) should be supported out of the box and the “new” Passkey authentication as well.

    For more sophisticated 2FA methods for enterprises or custom login is another story.

  • jkerr OP 2 days ago

    The problem with social sign in is that you cannot be sure the user is utilizing two factor authentication, and if they are, you cannot be sure they have chosen an authenticator app or physical key.  E-mail as 2FA is very weak, and it has become too easy for people to have their phones replicated.  And, small to medium sized organizations often don't have the resources for an external login server.

    Not to muddy the water, but while on the subject of 2FAI continue to be especially astonished that 2FA is not even available to choose for APEX application builder or administrative login.  I did put an idea in for that as well…