Multi-factor authentication concepts

IBM MFA relies on multiple authentication factors.

A multi-factor authentication system requires that multiple authentication factors be presented during logon in order to verify a user's identity. Each authentication factor must be from a separate category of credential types.

Requiring multiple authentication factors improves the security of your user account.

You either present the credentials directly into the application (in-band) or out-of band:

Out-of-band authentication allows you to authenticate on a user-specific web page with one or more factors to retrieve a cache token credential that you use to log in. Out-of-band authentication is described in IBM MFA Out-of-Band concepts. Out-of-band authentication methods are described in Part 2: Out-of-Band Authentication.
For in-band authentication, you generate a token using IBM MFA with SecurID or IBM TouchToken and use that token directly to log on. In-band authentication methods are described in Part 3: In-Band Authentication.

IBM MFA with SecurID

In the simplest terms, for IBM MFA with SecurID, the RSA Authentication Manager determines whether the user's credentials are valid and, if so, returns success to RACF. RACF then resumes control and completes the authentication and authorization process as usual.

IBM MFA with SecurID requires:

"Something you have." (The hardware or software RSA SecurID token.)
"Two things you know." (An RSA SecurID Personal Identification Number (PIN), and something you know.)

IBM TouchToken

For IBM MFA with IBM TouchToken, you use the IBM TouchToken for iOS application on supported Apple devices to generate a hashed, timed one-time password (OTP), and then use this password together with your z/OS user name to log on to the z/OS system.

The OTP password generated by the IBM TouchToken for iOS application must match the OTP password generated by the IBM TouchToken component on the z/OS server. OTP passwords are regenerated at regular intervals.

IBM TouchToken requires:

"Something you have." (The Apple Touch ID device, with the provisioned IBM TouchToken for iOS application.)
"Something you are." (Your fingerprint.)

IBM MFA Certificate Authentication

IBM MFA Certificate Authentication is a general purpose certificate authentication that includes Common Access Card (CAC) and Personal Identification Verification (PIV) cards. Certificate authentication uses the client identity certificate to authenticate the user.

IBM MFA Certificate Authentication requires:

"Something you have." (The approved certificate, typically from a PIV or CAC card or other smart card.)
"Something you know." (The Personal Identification Number (PIN).)