In today’s digital landscape, passwords alone are no longer enough to protect what matters most: your organization’s data. For executives responsible for safeguarding customer trust, meeting regulatory demands, and avoiding costly breaches, the stakes couldn’t be higher. That’s why Multi-Factor Authentication (MFA) for Oracle Database has quickly shifted from a “nice-to-have” to a “must-have.” MFA is one of the simplest yet most powerful steps you can take to reduce risk. It ensures that even if a password is stolen or compromised, unauthorized users can’t access your most critical systems. For leaders, that translates into stronger compliance, reduced breach costs, and peace of mind knowing the company’s crown jewels are better protected.
At DSP-Eclipsys, we’ve helped organizations across industries take this step confidently. Our experts understand the challenges of balancing strong security with seamless user experience, and we know how to make MFA work within the complexity of your Oracle environments. Whether you’re just starting your journey or looking to optimize your existing security controls, we can help you implement Oracle Database MFA in a way that supports both your business goals and your security strategy.
And now, with Oracle’s July 2025 Database Release Update for Oracle Database 19c and 23c, MFA has become even easier to adopt. Native support for MFA means you no longer need to rely exclusively on external identity providers. Oracle has built it right into the database itself. With support for Oracle Mobile Authenticator and Cisco Duo, enterprises can simplify adoption, strengthen protection, and align with modern authentication standards.
So, what does this mean for your organization, and how can you take advantage of it today? Let’s dive deeper into the benefits and how DSP-Eclipsys can help you make the most of this new capability.
I recently implemented this feature in a customer environment running a non-CDB Oracle Database 19c Standard Edition, with the latest July 2025 DBRU patch applied.
Here’s a detailed, step-by-step guide:
This is the communication flow for the new multi-factor authentication feature
Image from: https://blogs.oracle.com/database/post/new-mfa-jul2025
Configurations need to be done in OCI:
To enable the MFA feature, certain essential steps must be completed, and specific information needs to be gathered from the OCI tenancy.
Your tenancy should link to the existing identity domain. Log in to your cloud tenancy and find the identity domain details under Identity & Security -> Domains
Copy Domain URL
Domain URL: https://idcs-*****************.identity.oraclecloud.com
Create an OAuth client application
The next step is to create an OAuth client application registered to this domain. On the same page, click on the Integrated applications -> Launch Workflow
Provide an appropriate name for the application, leave the remaining fields blank, and then click Submit.
In the application page, go to the OAuth configuration tab, then click the button Edit OAuth configuration.
In the Client Configuration section, select 'Configure this application as a client now' and set the Allowed Grant Types to 'Client Credentials,' as illustrated in the image below.
Without submitting, further scroll down and find the section ‘App roles’
Add the two roles — User Administrator and MFA Client — and then click Submit.
Navigate back to the OAuth configuration tab, copy the Client ID and Client secret
Client ID = 6a3a853add814c12937954fcccdc9ae8
Client secret = idcscs-343dfdf-6837-fdfdfb-b740-3434ddgfgfs
As a final step, click on the Actions and Activate to activate the application.
The application should be in the ‘Active’ state.
Configure OCI Email Delivery
The next step is to configure the OCI Email Delivery Service. Ensure that the IAM user being used has the required privileges to perform these actions. If not, create an IAM group, add the user to it, and then grant the following IAM policy.
allow group <GROUP_NAME> to use email-family in compartment <COMPARTMENT_NAME>
If SMTP credentials are not already available, generate them and make note of the SMTP username and password, as these will be required later in the configuration process.
Click on the profile button in the top right corner and navigate to the user's identity profile. Then click on the ‘Saved Password’
Click on ‘Generate credentials’ and note the SMTP username and password. I have already set the SMTP credentials.
SMTP User: ocid1.user.oc1..aaaaaaaaujxxxxxxxxxxxxxxxxxx7x74a@ocid1.tenancy.oc1..aaaaaaaaqkfafm7ykyzmszzxxxxxxxxxxxxxcrdn7a.k8.com
SMTP Password: - LjVaxxxxxxxxxxxxxxxx1
Obtain SMTP server information
Navigate to the Configuration under Developer Services -> Application Integration -> Email Delivery.
Note the details under SMTP Sending Information. We will use this information later in the configuration.
Public Endpoint: smtp.email.ca-toronto-1.oci.oraclecloud.com
SMTP Ports:587
You must add the email address that will be used to send OMA enrollment emails to the Email Delivery service’s Approved Senders list. Click on the Approved Sender in the left navigation and add the sender's email address.
Database configuration
Configure MFA-related database parameters as SYSDBA.
alter system set mfa_oma_iam_domain_url = "https://idcs-*****************.identity.oraclecloud.com"; Domain URL noted in previous step.
alter system set mfa_smtp_host = "smtp.email.ca-toronto-1.oci.oraclecloud.com";
alter system set mfa_smtp_port = 587;
alter system set mfa_sender_email_id = "sender-email@example.ca";
alter system set mfa_sender_email_displayname = "Oracle Database MFA";
Verify that the WALLET_ROOT parameter is configured in the database. If it is not set, configure it and restart the database for the change to take effect.
alter system set WALLET_ROOT="/opt/oracle/dcs/commonstore/wallets" scope=spfile;
Configure Oracle Wallet
Connect to the database server over SSH as the oracle user. Set the required environment variables (such as ORACLE_HOME and ORACLE_SID), then create a wallet in the location defined by the WALLET_PATH parameter.
WALLET_ROOT: /opt/oracle/dcs/commonstore/wallets
WALLET_PATH: $WALLET_ROOT/$ORACLE_SID/mfa
WALLET_PATH=/opt/oracle/dcs/commonstore/wallets/ORA19S/mfa
orapki wallet create -wallet $WALLET_PATH -auto_login -compat_v12
You need to provide a password for the new Oracle Wallet. Check the wallet files created under the WALLET_PATH variable.
Next, store the CLIENT_ID, CLIENT_SECRET, SMTP_USER, and SMTP_PASSWORD values in the wallet using the following commands:
These values were obtained from the earlier configuration steps.
CLIENT_ID = 6a3a853add814c12937954fcccdc9ae8
CLIENT_SECRET = idcscs-343dfdf-6837-fdfdfb-b740-3434ddgfgfs
SMTP_USER = ocid1.user.oc1..aaaaaaaaujxxxxxxxxxxxxxxxxxx7x74a@ocid1.tenancy.oc1..aaaaaaaaqkfafm7ykyzmszzxxxxxxxxxxxxxcrdn7a.k8.com
SMTP_PASSWORD = LjVaxxxxxxxxxxxxxxxx1
# Store the Client ID
mkstore -wrl $WALLET_PATH -createEntry oracle.security.mfa.oma.clientid $CLIENT_ID
# Store the Client Secret
mkstore -wrl $WALLET_PATH -createEntry oracle.security.mfa.oma.clientsecret $CLIENT_SECRET
# Store the SMTP User
mkstore -wrl $WALLET_PATH -createEntry oracle.security.mfa.smtp.user $SMTP_USER
# Store the SMTP Password
mkstore -wrl $WALLET_PATH -createEntry oracle.security.mfa.smtp.password $SMTP_PASSWORD
You can verify the configured values by running the following commands:
To view a specific entry using its alias:
Create a new user or update an existing user for MFA
create user mfauser identified by "<password>" and factor 'OMA_PUSH' as '<user-email>';
grant connect,resource to mfauser;
An enrollment email will be sent to the user to register their OMA account if the email address is not yet registered with this domain.
Scan the QR code using the Oracle Authenticator app (OMA) and add the account.
After push notifications are enabled, the user will receive a push notification and must approve it via the OMA app to complete authentication. This step is required regardless of the client used, whether it’s SQL*Plus or any other supported tool.
To enroll an existing user, run the following command:
alter user <username> add factor 'OMA_PUSH' as '<user-email>’;
Conclusion
Oracle’s July 2025 DBRU for 19c and 23c adds native multi-factor authentication (MFA), removing the previous dependence on external identity providers (e.g., Entra ID, OCI IAM, RADIUS). This built-in capability streamlines deployment and strengthens access security in line with modern standards. As of this writing, Oracle Mobile Authenticator (OMA) and Cisco Duo are supported on both Android and iOS.
Recommendations