Using Multi-Factor Authentication

There are multiple MFA solutions available for z/OS, and each of them has its own defaults, which do not always match z/OS Explorer expectations. This section documents the basic requirements and expected behavior of your MFA solution for it to work with z/OS Explorer:

• MFA must be configured to allow for PassTicket usage after initial authentication.
• PassTickets will be used during the whole lifetime of a user session, so the window in which PassTickets are accepted after initial authentication must be big enough to cover a typical workday, and must be at least long enough to cover the logon process.
• When PassTickets usage fails, the client connection will be severed and the user must log on again (and thus re-authenticate). This behavior is similar to users being disconnected because of inactivity timeout.
• If MFA is set up to prompt for a second authentication, it will show to the user as though the first authentication failed, even if it was successful.