Setting up MFA on your system

Edit online

To setup multi-factor authentication (MFA) on your system, you must enable the Additional sign-on factor security attribute. When enabled, you can change specific user profiles to require them to enter an additional factor when authenticating.

Figure 1. Flow of setting up MFA on your system
setting up MFA on your system flow

Administrator actions:

For more information, refer to Enabling MFA on your system.

Step 1
  • The Additional sign-on factor security attribute must be enabled to enforce the *TOTP authentication method. If only using *REGFAC authentication method, you do not need to enable the Additional sign-on factor security attribute unless your exit program requires the additional factor to be passed to it in the Additional authentication exit information parameter. To enable:
    • Make sure system requirements are met.
    • If you have a customized sign-on screen, make the necessary changes.
    • Turn on MFA by enabling the Additional sign-on factor security attribute and IPL.
  • To enable *TOTP authentication method:
    • Notify identified users that they need to set their TOTP key. The administrator cannot set the TOTP key for a user profile, each user must set their own TOTP key
  • To enable *REGFAC authentication method:
    • Register the QIBM_QSY_AUTH exit program in the registration facility.

User actions:

Only required if setting authentication method to *TOTP. For more information, refer to Enabling MFA for a user.

Step 2
  • Set their TOTP key. This saves the TOTP key in their user profile.
Step 3
  • Save the recovery key in a safe place. The recovery key was generated when they set their TOTP key.
Step 4
  • Enter their TOTP key into their client application.
  • Validate the TOTP value generated by the client application.
  • Notify the administrator that their TOTP key has been set.

Administrator actions for users:

Step 5
  • To enable *TOTP authentication method:
    • If not notified, check if the user has set their TOTP key.
    • If the user’s TOTP key has been set, change the user profile to set the authentication method to include *TOTP and to set the desired TOTP optional interval.
  • To enable *REGFAC authentication method:
    • Change the user profile to set the authentication method to include *REGFAC.