Requiring multifactor authentication

Edit online

Starting with IBM® Storage Copy Data Management 2.2.21, you can set up multifactor authentication (MFA) on IBM Storage Copy Data Management new and existing user accounts. MFA provides an extra layer of protection by requiring users to use a password and a time-based one-time password (TOTP) to sign in. The implementation covers enabling or disabling MFA, user enrollment, login with MFA, token expiration, and administrative control over MFA settings.

A user with ADMIN role can enable, disable and expire multifactor authentication (MFA) on both new and existing accounts. Multifactor authentication requires users to verify their identity by using more than one method. When you require a multifactor authentication, you must provide a one-time passcode in addition to the traditional password. The passcode is valid only for the current session and is generated on a trusted device. A trusted device is a device that only the user can access. To use this feature, you must install a security application on your trusted devices. The trusted device is typically a mobile, but can be a different device such as a tablet or laptop. The security application generates a time-based one-time password (TOTP) that is used during the sign-in process.

A regular user can only enroll and login by using MFA.

The following considerations apply to configure the time-based one-time (TOTP) multifactor authentication:
  • By default, time-based one-time (TOTP) is disabled. If you want to enable to the time-based one-time (TOTP) for a user account, you must manually enable it in the IBM Storage Copy Data Management user interface.
  • A user with ADMIN role has permissions or access rights to enable or disable the time-based one-time (TOTP) multifactor authentication (MFA).
  • A user with ADMIN role has permissions or access rights to expire the existing MFA TOTP secret keys.
  • The time that is displayed on the user's mobile device or workstation, where the security application is installed, must be in synchronization with the IBM Storage Copy Data Management server time. You must use NTP server to ensure the time sync between IBM Storage Copy Data Management server and your mobile device or workstation.
  • When time-based one-time (TOTP) is enabled for a user, all existing sessions that are associated with that user expire.

After your account is successfully set up with MFA, the account can be accessed only by specifying the password and a TOTP passcode. The additional layer of protection authorizes only the rightful owner to access the account.