Multi-factor authentication concepts
IBM® MFA relies on multiple authentication factors.
Multi-factor authentication is a method of computer access control in which a user is granted access only after successfully providing several authentication factors to an authentication mechanism. The authentication factors are typically from at least two of the following categories: knowledge (something they know), possession (something they have), and inheritance (something they are).
Multiple authentication factors improves the security of user accounts.
- You create an IBM MFA authentication policy for users and provide them with the policy URL.
- The user navigates to the policy URL and provides credentials that satisfy the authentication methods of the policy.
- The IBM MFA server provides an authentication token called a cache token credential (CTC).
- The user navigates to the z/VM® LOGON screen.
- The user enters their user ID and pastes the authentication token in to the password field.
- The ESM communicates with the IBM MFA server to verify the authentication token.
- If verification is successful, the ESM authorizes the logon.
IBM MFA for RSA SecurID authentication methodWhile authenticating by using the IBM MFA for RSA SecurID authentication method, the RSA Authentication Manager determines whether the user's credentials are valid, and if valid returns success to IBM MFA. The operating system then resumes control and completes the authentication and authorization process as usual.
The IBM MFA for RSA SecurID authentication method requires the following credentials:
- Something you have: The hardware or software RSA SecurID token.
- Two things you know: An RSA SecurID Personal Identification Number (PIN), and something you know.
PIV/CAC or X.509 Certificate methodThe PIV/CAC or X.509 Certificate method is a general-purpose certificate authentication that includes Personal Identification Verification (PIV) and Common Access Card (CAC) cards. Certificate authentication uses the client identity certificate to authenticate the user.
- Something you have: The approved certificate, typically from a PIV or CAC card or other smart card.
- Something you know: The Personal Identification Number (PIN).
IBM MFA for RADIUS authentication methods
IBM MFA includes support for "generic" RADIUS, SafeNet RADIUS, and RSA SecurID RADIUS. Generic RADIUS refers to the RADIUS server of your choice that returns a simple allowed or denied response. In all cases, the RADIUS server determines whether the user's credentials are valid, and if so, returns success. The operating system then resumes control and completes the authentication and authorization process as usual.
IBM MFA for TOTP authentication method
The two methods of generating a hashed, timed one-time password (TOTP) are generic TOTP and IBM TouchToken for iOS.
If you configure a user's account for generic TOTP, the user can log in by using common Quick Response (QR) codes on both Android and Apple iOS devices. The user installs a QR code application such as IBM Verify, Google Authenticator, or Duo Mobile on their device. The user then uses the generated timed one-time password (OTP) with their user name to log in.
For IBM TouchToken for iOS, the user uses the IBM TouchToken for iOS application on supported Apple devices to generate a hashed, timed one-time password (OTP), and then uses this password together with their user name to log in.
For both generic TOTP and IBM TouchToken for iOS, the OTP password must match the OTP password generated on the IBM MFA server. OTP passwords are regenerated at regular intervals.
- Something you have: The device with the provisioned QR code application on an Android and Apple iOS device, or the IBM TouchToken for iOS application.
- Something you are: Your fingerprint.
Yubico OTP authentication method
The OTP password generated by the Yubikey token must match the OTP password generated by the Yubico OTP component on the IBM MFA server. OTP passwords are generated when you trigger the Yubikey token.
- Something you have: The hardware Yubikey token.
- Something you know: Yubico OTP should be used with another authentication method.
IBM Security Verify Access authentication method
- Something you know: The IBM Security Verify Access verification one-time password, if configured.
- Something you know: The IBM Security Verify Access user ID and password.