Password with appended additional factor
There are interfaces that require a password but do not have an additional factor field.
When a user is required to enter an additional factor into this type of interface, they must specify the password and additional factor separated by a colon (:) into the password field. The format of the value entered into the password field must be password:additional_factor (example: myAmazingPa$$w0rd:358538).
This password format is only supported if the Additional sign-on factor security attribute is enabled and the user has an authentication method other than *NONE, otherwise the authentication will fail. If the interface has an additional factor field, use the additional factor field and do not append the additional factor to the password.
A colon is allowed as part of the password. If an additional authentication factor is supported, the search for the colon separating the password and the additional factor starts at the end of the string and looks backward until the colon is found.
- If using an authentication method of *TOTP, the user’s password length should not exceed 121 bytes to take into consideration the password plus 1 (for the colon) plus 6 (for the TOTP value).
- If only using an authentication method of *REGFAC, the additional factor gets passed to the exit program registered under the QIBM_QSY_AUTH exit point. A user’s password length should not exceed 128 bytes minus 1 (for the colon) minus n. Where n is the length of the additional factor the exit program expects (1-64).
Appending the TOTP value to the password does not work when the client application uses password substitution that is based on a one-way hash. Some IBM® clients use this encapsulation to protect passwords in transit. Examples of client applications that would not support appending the TOTP value to the password are IBM i Access Client Solutions (ACS), IBM Navigator for i, and Digital Certificate Manager (DCM). The additional factor needs to be entered in the additional factor field for these interfaces.