Activate and deactivate users for IBM Security Verify Access

You use the ALTUSER or ALU command to activate users for IBM® Security Verify Access.

Before you begin

The user must already have an IBM Security Verify Access account that allows them to authenticate with multi-factor authentication and an OTP one-time password.

Procedure

  1. Enter the following commands to activate a user for IBM Security Verify Access: 
    ALU [Login ID] MFA(FACTOR(AZFISAM1)
 ACTIVE) TAGS(ISAMUSERID:user-ID AUTHCTX:auth-context))
    Where:
    • [Login ID] is the z/OS® user name.
    • ACTIVE activates the AZFISAM1 authenticator for the user ID.
    • ISAMUSERID is the IBM Security Verify Access user ID.
    • AUTHCTX optionally overrides the authentication context you configured in Configure IBM MFA for IBM Security Verify Access.
  2. Enter the following command to display IBM MFA information for a user profile: 
    LISTUSER [Login ID] MFA
    MULTIFACTOR AUTHENTICATION INFORMATION:       
FACTOR = AZFISAM1          
STATUS = ACTIVE          
FACTOR TAGS =            
     ISAMUSERID:user-id
     FAILCOUNT:0   
     AUTHCTX:myAuthCtx
  3. If needed, enter the following commands to deactivate a user for IBM Security Verify Access: 
    ALU [Login ID] MFA(FACTOR(AZFISAM1)
    NOACTIVE)

What to do next

Typical User Login Flow
This section describes the typical user login flow. The exact steps the user must follow depend on your IBM Security Verify Access configuration. As part of the login flow, you must provide the user with the following:
  • The URL of the IBM Security Verify Access login page. For example, https://server-name/apimfa.html, as described in the documentation.
  • Their user name on the IBM Security Verify Access server.
  • The name of the application to use on the Generate application one-time password page.
Important: As part of the login flow, the user needs to register and use a device that is running the IBM Verify application. This device must have network connectivity to the IBM Security Verify Access server.
  1. Navigate to the web page provided by your administrator and log in with your IBM Security Verify Access user name.

    The API Multi-factor authentication page is displayed.

  2. Click on Manage / Register IBM Verify and FIDO U2F. This step is needed only on your first access.
    1. Under Authenticators::Register new authenticator, select AuthenticatorClient in the drop-down menu.
    2. Click register new authenticator.
    3. Launch IBM Verify on the device and point the camera at the displayed QR code.
    4. IBM Verify connects with API Multi-factor authentication and creates a new account.
    5. Click Home on the web page to return to the API Multi-factor authentication page.
  3. Click Obtain application OTP. The Mobile Multi Factor Device Selection page is displayed.
    1. Click the radio button corresponding to the device you registered.
    2. Click Submit. This device will receive a notification.
    3. The Mobile Multi Factor Pending Authentication page is displayed.
    4. Accept the Please log me in: user name notification on your device. Click the check mark and verify with your fingerprint if you configured Touch ID.
    5. If the Mobile Multi Factor Pending Authentication page does not disappear, click Verify.
  4. On the Generate application one-time password page:
    1. Select the application the administrator instructs you to use from the Application drop-down menu.
    2. Click Generate OTP. The OTP is displayed:
      Application One-time Password
Username	username
Application	app-name
One-time password	OTP
Expires In (hh:mm:ss)
    3. Copy the OTP to the clipboard.
  5. Log in to the z/OS application with your z/OS user ID. You do not use the IBM Security Verify Access user name for this step.
  6. Paste the OTP from the clipboard as your password.