Running ACS Commands on IBM i with MFA Enabled

When running ACS commands directly on the IBM® i and the current job has an authentication method of *TOTP, an authentication failure will occur and ACS will prompt for a current *TOTP under either of the following conditions:

The optional interval is set to *NONE
The optional interval is set to a positive value, but the interval is not active or has expired

The authentication failure occurs because the credentials from the job are used to authenticate without prompting. When a TOTP is required, the job’s credentials are not enough. ACS will prompt the user to provide new credentials along with a TOTP. This will only work when the command is entered interactively:

In an interactive job, the user can enter the new credentials and TOTP.
In a batch job, there is no way to prompt so the job will hang indefinitely.

An example of an ACS command that may be entered on IBM i interactively or in batch mode is: plugin=cldownload.