Requiring multifactor authentication
Starting with IBM Storage® Protect Plus 10.1.15, you can set up multifactor authentication (MFA) on both IBM Storage Protect Plus new and existing user accounts. MFA provides an extra layer of protection by requiring users to use a password and a time-based one-time password (TOTP) to sign in.
A user with SUPERUSER role can configure multifactor authentication (MFA) on both new and existing accounts. Multifactor authentication requires users to verify their identity by using more than one method. When you require a multifactor authentication, you must provide a one-time passcode in addition to the traditional password. The passcode is valid only for the current session and is generated on a trusted device. A trusted device is a device that only the user can access. To use this feature, you must install a security application on your trusted devices. The trusted device is typically a mobile, but can be a different device such as a tablet or laptop. The security application generates a time-based one-time password (TOTP) that is used during the sign-in process.
- By default, time-based one-time (TOTP) is disabled. If you want to enable to the time-based one-time (TOTP) for a user account, you must manually enable it in the IBM Storage Protect Plus user interface.
- A user with SUPERUSER role has permissions or access rights to enable or disable the time-based one-time (TOTP) multifactor authentication (MFA).
- A user with SUPERUSER role has permissions or access rights to expire the existing MFA TOTP secret keys.
- The time that is displayed on the super user's mobile device or workstation, where the security application is installed, must be in synchronization with the IBM Storage Protect Plus server time.
- When time-based one-time (TOTP) is enabled for a user, all existing sessions associated with that user will expire.
After your account successfully set up with MFA, the account can be accessed only by specifying the password and a TOTP passcode. The additional layer of protection authorizes only the rightful owner to access the account.