Enabling MFA on your system

Edit online

To enable multi-factor authentication (MFA) on your system, the administrator must enable the Additional sign-on factor security attribute.

The Additional sign-on factor security attribute is required to use *TOTP authentication method. The additional factor must be a TOTP value.

If only using *REGFAC authentication method, the exit program may require an additional factor, so the Additional sign-on factor security attribute must be enabled. If the exit program does not require an additional factor, the Additional sign-on factor security attribute does not need to be enabled. The type of additional factor is defined by the exit program.

To enable the Additional sign-on factor security attribute:

The security level must be 40 or greater and the password level must be 4 or greater.
Interfaces that show the current security level and current password level:
- Display Security Attributes (DSPSECA) command
- In IBM Navigator for i, expand Security > MFA Configuration. Click Security Configuration Information
If the security level needs to be changed, refer to Using System Security (QSECURITY) system value to understand the impacts of making a change.

If the password level needs to be changed, refer to Planning password level changes to understand the impacts of making a change.
Change the Additional sign-on factor security attribute, if it is not already *ENABLED.
Interfaces that show the current additional sign-on factor value:
- Display Security Attributes (DSPSECA) command
- In IBM Navigator for i, expand Security > MFA Configuration. Click Security Configuration Information.
Interfaces that change the additional sign-on factor value:
- Change Security Attributes (CHGSECA) command, Additional sign-on factor (ADLSGNFAC) parameter.
- In IBM Navigator for i, expand Security > MFA Configuration.
  - Click Security Configuration Information.
  - Right click Additional Signon Factor and select Change.
  - In the Change Additional Signon Factor panel, select Enabled from the Additional Signon Factor pull-down.
  - Click Save
If the SST security attribute does not allow this attribute to be changed, use the Change SST Security Attributes (CHGSSTSECA) command to set the Change additional sign-on factor (CHGADLSGN) parameter to *YES.  Then start again at step 2.

To prohibit the changing of the Additional sign-on factor security attribute after you have set it to the desired value, use the Change SST Security Attributes (CHGSSTSECA) command to set the Change additional sign-on factor (CHGADLSGN) parameter to *NO.

If you have a customized sign-on screen, you must create a new one based on QDSIGNON3 before you IPL. For more information, refer to Signon screen display file and Creating a sign-on display file.

If the additional sign-on factor is being changed from *DISABLED to *ENABLED, IPL the system for the pending value to take effect. 
Optionally set up the Network Time Protocol (NTP) client to synchronize the time on devices. For more information, refer to Network Time Protocol (NTP) time synchronization.

To enable *REGFAC authentication method:

Add Exit Program (ADDEXITPGM) command. The default wait time for the exit program to complete processing is 10 seconds. To change the wait time, use the Program Data (PGMDTA) parameter. For example, this will change the wait time to 20 seconds:
```
ADDEXITPGM EXITPNT(QIBM_QSY_AUTH) FORMAT(AUTH0100) PGMNBR(1) PGM(your_library/your_exit_pgm) REPLACE(*YES) CRTEXITPNT(*NO) PGMDTA(*JOB *CALC 20)
```
In IBM Navigator for i, expand Security > MFA Configuration.
- Click Authentication Exit Point..
- Right click QIBM_QSY_AUTH exit point name and select Add Exit Program.
- In the Add Exit Program panel, enter the exit program name in the Program field and the library name in the Library field.
- Click OK