Create and manage multi-factor authentication policies

To use IBM® MFA Out-of-Band you must use the RDEFINE command to define multi-factor authentication policies, and the ALU command to apply the policies to one or more users.

Before you begin

Multi-factor authentication policies specify which authentication factors are required for IBM MFA Out-of-Band. The multi-factor authentication policy determines which of the active factors are actually applied.

For example, if you activate TOTP (AZFTOTP1), Certificate Authentication (AZFCERT1), and IBM MFA with SecurID (AZFSIDP1) for a user, but the policy includes only AZFCERT1 and AZFSIDP1, then AZFTOTP1 is not required.

Important: If you apply a policy to a user, the user must have all the factors defined in the policy, and those factors must be active for the user. RACF® does not prevent you from applying a policy to a user who does not have all the required factors defined. This will prevent the user from authenticating with IBM MFA Out-of-Band.

About this task

You must create a multi-factor authentication policy under the following conditions:

If you enable a user for a single factor, you can optionally create a multi-factor authentication policy for that single factor and direct the user to the IBM MFA Out-of-Band web server login page. You might want to do this for a reason described in Benefits of IBM MFA Out-of-Band Authentication.

Procedure

  1. Enter the following command to create a multi-factor authentication policy:
    RDEF MFADEF POLICY.POLICY-NAME MFPOLICY(FACTOR(FACTOR-NAME)
    TOKENTIMEOUT(num-of-seconds) REUSE(Y|N))
    Where:
    • POLICY-NAME is a name of your choice between 1 and 20 characters. The allowed characters are A-Z, 0-9. You might find it convenient to give the policy a descriptive name, such as CERTSIDPTOTP or CERTONLY.
    • FACTOR-NAME is a space-separated list of factor names. The allowed factor names are as follows:
      • AZFSIDP1
      • AZFSIDP3
      • AZFTOTP1
      • AZFCERT1
      • AZFSFNP1
      • AZFRADP1
      • AZFSIDR1
      • AZFPASS1
      • AZFYUBI1
    • TOKENTIMEOUT sets the length of time (in seconds) the IBM MFA Out-of-Band token is valid once generated. The value can be between 1 and 86,400 (the number of seconds in a day). The default is 300 seconds (5 minutes.)
    • REUSE determines whether the IBM MFA Out-of-Band token can be reused by an application. Possible values are Y or N. The default is N.
  2. Repeat 1 as needed.
  3. Refresh the MFADEF class:
    SETROPTS RACLIST(MFADEF) REFRESH
  4. Enter the following command to display information about a specific policy:
    RLIST MFADEF POLICY.POLICY-NAME MFPOLICY
  5. Enter the following command to display information about all IBM MFA factors and policies:
    RLIST MFADEF *
  6. Enter the following command to apply the policy to a user:
    ALU <USERID> MFA(ADDPOLICY(POLICY-NAME))
  7. Repeat 6 as needed. If you apply multiple policies to a user, instruct the user which policy to use.
  8. Enter the following command to display IBM MFA information for a user profile, including any applied policies:
    LU <USERID> MFA
    MULTIFACTOR AUTHENTICATION INFORMATION:                
    ---------------------------------------                
      PASSWORD FALLBACK IS NOT ALLOWED                         
      AUTHENTICATION POLICIES =                            
        TOTPONLY                                           
      FACTOR = AZFSIDP1                                    
        STATUS = INACTIVE                                  
        FACTOR TAGS =                                      
          SIDUSERID:user                                  
      FACTOR = AZFTOTP1                                    
        STATUS = ACTIVE                                    
        FACTOR TAGS =                                      
          REGSTATE:PROVISIONED                             
          
  9. If needed, enter the following command to remove a policy from a user:
    ALU <USERID> MFA(DELPOLICY(POLICY-NAME))
  10. If needed, enter the following commands to delete a policy and refresh the MFADEF class:
    RDEL MFADEF POLICY.POLICY-NAME
    SETROPTS RACLIST(MFADEF) REFRESH