IBM® Multi-factor authentication

Beginning with IBM z16 support for more factor types through the IBM Multi-Factor Authentication (IBM MFA) product was added. The system administrator can require users to supply their RADIUS authentication code or an authentication code based on their digital certificate. These factor types are known in IBM MFA as AZFRADP1 and AZFCERT1, respectively. The Hardware Management Console user definition must identify an MFA policy that contains a single supported factor type and the HMC works with the IBM MFA server to validate these additional authentication codes. To validate a user's RADIUS authentication code when a user is logging onto the HMC, IBM MFA contacts the customer's RADIUS server to validate the user's RADIUS userid and authentication code. If the user is configured for the AZFCERT1 factor type, they must first access the IBM MFA web server using the URL provided to them by the system administrator. At that website, the user must provide their digital certificate for validation by IBM MFA. Upon successful validation, IBM MFA generates an authentication code, known as a Cache Token Credential (CTC). The user then provides that CTC to the HMC as their authentication code when logging onto the HMC.

Beginning with IBM z15®, support for the RSA SecurID tokens through the IBM Multi-Factor Authentication for z/OS® product was added. The RSA SecurID factor types are known as AZFSIDP1 and AZFSIDR1 in IBM Multi-Factor Authentication for z/OS. The HMC user definition must identify an MFA policy that contains a single-supported factor type. When a user is required by the system administrator to use RSA SecurID when logging onto the HMC, the user must supply their current RSA SecurID passcode and their HMC user ID and logon password. After validating the HMC user ID and password, the HMC passes the user’s MFA user ID and the supplied RSA SecurID passcode to the IBM MFA instance associated with the HMC user ID. The IBM MFA verifies that the IBM MFA user ID is known to it and is configured to use RSA SecurID. IBM MFA then contacts the customer's RSA SecurID Authentication Manager server to validate the user’s RSA user ID and the passcode supplied by the user.

Beginning with IBM z14®, support for multi-factor authentication (MFA) was added. This added an optional second authentication factor in addition to a user's console login password when accessing the console. Specifically, the user must enter a 6-digit authentication code a Time-based One-Time Password (TOTP) as defined by RFC 6238 which is based on the current time and a 32-character user-specific shared secret key. The TOTP is validated by the console with no dependencies for network connectivity or outside components or products. There are many freely available smartphone apps that can be configured with the user's shared secret key to generate the user's current TOTP.