Configuring IBM MFA Out-of-Band authentication
IBM® MFA Out-of-Band authentication allows a user to authenticate outside of the z/OS® authentication process through a web browser. You can configure IBM MFA Out-of-Band authentication for one or more users.
In-band versus out-of-band authenticationIBM MFA provides two approaches to authentication:
- In-band authentication. The user presents the credentials directly into the
application. For in-band authentication, the user generates a token and uses that token directly to
log on.You can use a factor in-band, with or without a policy assigned, if:
- No other factors (except the weak AZFPTKT1 and AZFPASS1 factors ) are active. Strong and weak factors are described in Table 1.
- It is a strong factor.
- The factor is active.
- The factor supports in-band authentication.
- Out-of band authentication. IBM MFA Out-of-Band authentication allows a user to authenticate outside of the z/OS authentication process ("out-of-band") with one or more factors to retrieve a cache token credential. You configure the authentication factors the user must provide, and the user is then presented with a user-specific IBM MFA Out-of-Band web page for the configured authentication factors. If the IBM MFA Out-of-Band authentication is successful, the user then uses the resulting cache token credential to log
A cache token credential is created every time a user successfully logs on with IBM MFA Out-of-Band. If the authentication policy specifies that the cache token credential can be reused by an application, it is usable until the first cache sweep after it expires.
Out-of-Band componentsThere are two major components to IBM MFA Out-of-Band server authentication:
- The IBM MFA services started task.
The started task must run in every z/OS instance where IBM MFA Out-of-Band users will log on.
- The IBM MFA web services started task.
The out-of-band server interface consists of web pages served to client web browsers via the server authentication TLS connection. The web pages indicate which authentication factors are required and which factors have been satisfied.
In a sysplex environment where the RACF® database, IBM MFA cache, and ICSF TKDS are shared across member LPARs, the web services started task needs to run only on one LPAR in the sysplex.
Benefits of IBM MFA Out-of-Band AuthenticationConsider the following benefits of using IBM MFA Out-of-Band authentication:
- You can require the user to provide multiple authentication factors. By requiring multiple authentication factors, you improve the security of the user account.
- You can require the user to use certificate authentication, including certificates stored on Common Access Card (CAC) and Personal Identification Verification (PIV) cards.
- Because IBM MFA Out-of-Band authentication provides an 8-character cache
token credential, you can use it with applications that are strictly limited to 8-character
For example, if you want your users to use IBM MFA with SecurID with a hardware token without a PINpad, not all applications provide a method to enter both the PIN and the 6- to 8-digit token code. By using IBM MFA SecurID with IBM MFA Out-of-Band authentication, the user can instead use the resulting 8-character cache token credential as the password.
- You can use the cache token credential in cases where the application replays the user password. Token codes can be used only once, which can be problematic for applications that cache and replay passwords. Using the resulting 8-character cache token credential as the password negates this problem.
- You can customize IBM MFA Out-of-Band on a per-user basis. You can decide which users must provide which factors based on your own environment and security needs. The user is then presented with a customized, user-specific IBM MFA Out-of-Band web page to log in.
Benefits of compound authentication in IBM MFA Out-of-BandAuthenticating with two or more factors is called "compound authentication." The important thing to note about compound authentication is that all configured authentication factors must succeed for the user to retrieve the in-band authentication code.
For example, if you were to configure the user for both IBM MFA with SecurID and TOTP, both authentications must succeed for the user to obtain the in-band authentication code. By requiring both a SecurID token code and the OTP token, you improve the security of the user account.
How tokens work with IBM MFA Out-of-BandA SecurID token code is valid only while it is displayed. An TOTP OTP value is valid within its Token Period and Window constraints. These requirements remain true with IBM MFA Out-of-Band. However, the difference is the IBM MFA Out-of-Band web page validates each token according to the existing requirements.
For example, if the user provides the SecurID token, the IBM MFA Out-of-Band web page validates that token in real time. If the user then provides an OTP token, the IBM MFA Out-of-Band web page then validates that token in real time.
The user has a fixed amount of time to satisfy all authentication factors.
Types of factorsThere are two types of authentication factors: strong and weak. Strong factors can be used alone or combined in IBM MFA Out-of-Band.
In contrast, weak factors must be used in combination with a strong factor.
|RSA SecurID ACEv5 UDP||Strong||Both|
|RSA SecurID Auth API (HTTPS) AZFSIDP3||Strong||Both|
|IBM Security Verify Access AZFISAM1||Strong||Both|
|Yubico OTP AZFYUBI1||Strong||Both|
|Certificate AZFCERT1||Strong||Out-of-band only|
|Check CTC AZFCKCTC||Strong||in-band only|
|PassTicket AZFPTKT1||Weak||In-band only|
|Password AZFPASS1||Weak||Out-of-band only|
IBM MFA Out-of-Band configuration requirements
Before you configure IBM MFA Out-of-Band STC, refer to the configuration roadmap in IBM MFA configuration roadmap.
Identifying the LPAR or SYSPLEX in IBM MFA Out-of-Band
If you want to identify the LPAR or sysplex you are connected to in IBM MFA Out-of-Band without having to extrapolate from the URL, you can use the translation feature described in Translating and customizing IBM MFA messages and HTML to edit translate.json or the HTML and add the LPAR or sysplex name.