Support for Multi-Factor Authentication using RACF

CICS® Transaction Server for z/OS® provides support for Multi-Factor Authentication (MFA) using RACF®.

If you are an RACF user, see Multi-Factor Authentication for z/OS in z/OS Security Server RACF Security Administrator's Guide for an overview of MFA and the prerequisite for this feature.

If you are using other security products, see the documentation of your ESM for details of support and prerequisites.

The following information describes how to implement MFA in CICS, based on the example of RACF and IBM® Multi-Factor Authentication for z/OS.

Support overview

CICS supports in-band MFA tokens. If you use z/OS Out-of-Band authentication, a one-time-use token can be generated and is supported by CICS.

Which logon interfaces support MFA tokens

MFA tokens are supported on the following session-based logon interfaces:

Table 1. Session-based logon interfaces that support MFA
Interface	CICS level requirement
CICS Explorer	CICS TS V5.4 with APAR PI87691 or later
CESN and CESL	CICS TS V4.2 with APAR PI21865 CICS TS V5.1 with APAR PI21866 CICS TS V5.2 with APAR PI21866 CICS TS V5.3 or later
CICSPlex® SM Web User Interface
User-written sign-on programs using EXEC CICS SIGNON

How to use MFA tokens on stateless requests

To use MFA tokens on stateless requests that cache credentials, the MFA token must be converted to a time limited security token, and the logged-on user must use this security token as the cached credentials.

CICS can convert an MFA token to a JWT using the VERIFY TOKEN command. For more information about VERIFY TOKEN, see VERIFY TOKEN.

Consideration on MFA input fields

Depending on the length, MFA tokens should be entered in the phase or password fields.