Logging in with TOTP and compound in-band authentication

You can log in with a valid TOTP OTP token code and a passphrase or password. Your administrator must have configured your account for IBM® MFA Compound In-Band.

About this task

Important: If your RACF® password has expired and you are using TSO/E, you are prompted during the compound in-band login session to change your RACF password. However, after attempting to change your password, the IBM MFA credentials are then replayed, which causes the password change operation to fail. In this case, begin a new TSO/E session, log in with your existing password and IBM MFA credentials, and then use the -New Password option on the panel to change your RACF password.

This alternate login flow is not needed if your administrator has configured your account for identity tokens. Identity tokens are configured on your behalf, and are not something you directly use.


Perform the following steps:

  1. Begin to log in with your user name.
  2. Run the TOTP application.
  3. Tap the account you created to select it.
  4. Generate the TOTP OTP. This OTP is valid for 15, 30, or 60 seconds as determined by your security administrator and can be used only once.
  5. Manually enter or copy/paste the OTP as the password as appropriate, followed by the separator, followed by your passphrase or password.
    Note: Your security administrator can reverse the order in which you enter the credentials, so that you enter your passphrase or password first, followed by the separator. Consult your security administrator for guidance.