Additional sign-on factor security attribute

The Additional sign-on factor security attribute indicates if MFA is enabled on your system.

The Additional sign-on factor security attribute has multiple purposes:

Indicates if sign-on prompts should add an Additional factor field.
Enables password:additional_factor parsing for user profiles that have an authentication method other than *NONE.
Enables the verification of the TOTP value for user profiles with an authentication method of *TOTP.
Enables passing the additional factor to the QIBM_QSY_AUTH exit program for user profiles with an authentication method of only *REGFAC.

When the additional sign-on factor is enabled, some interfaces will show an Additional factor field on the sign-on prompt along with the User and Password fields. The IBM i default sign-on panel will have an Additional factor field added. If you have a customized sign-on panel defined, you must change the definition to support the QDSIGNON3 format to add the additional factor field to your sign-on panel.

The additional sign-on factor security attribute is not saved or restored.

A user profile’s authentication methods determine what is required in the additional factor field. When the authentication methods are:

*TOTP: A TOTP value is required in the additional factor field.
*TOTP and *REGFAC: A TOTP value is required in the additional factor field. The additional factor sent to the QIBM_QSY_AUTH exit program will be blank.
*REGFAC: The QIBM_QSY_AUTH exit program can require an application defined additional factor in the additional factor field. The additional factor sent to the exit program will be what is entered in the additional factor field.
*NONE: The additional factor field is ignored.

If an interface does not have an additional factor field, but an additional factor is required, the additional factor can be entered in the password field as password:additional_factor. For more information, refer to Password with appended additional factor.

If the Additional sign-on factor security attribute is disabled, user profiles with an authentication method of *TOTP are not required to enter a TOTP value to authenticate.

The Change SST Security Attributes (CHGSSTSECA) command, Change additional sign-on factor (CHGADLSGN) parameter, controls whether the Change Security Attributes (CHGSECA) command or IBM Navigator for i can be used to enable or disable the additional sign-on factor. When the SST attribute indicates the additional sign-on factor can be changed, the CHGSECA command or IBM Navigator for i can be used to enable or disable the additional sign-on factor.

For more information, refer to Enabling MFA on your system and Enabling MFA for a user.

There is also a system service tools (SST) Additional sign-on factor security attribute that is used by SST/DST. For more information, refer to Service tools Multi-factor authentication (MFA).