Configuring IBM MFA Out-of-Band authentication

IBM® MFA Out-of-Band authentication allows a user to authenticate outside of the z/OS® authentication process through a web browser. You can configure IBM MFA Out-of-Band authentication for one or more users.

In-band versus out-of-band authentication

IBM MFA provides two approaches to authentication:
  • In-band authentication. The user presents the credentials directly into the application. For in-band authentication, the user generates a token and uses that token directly to log on.
    You can use a factor in-band, with or without a policy assigned, if:
    • No other factors (except the weak AZFPTKT1 and AZFPASS1 factors ) are active. Strong and weak factors are described in Table 1.
    • It is a strong factor.
    • The factor is active.
    • The factor supports in-band authentication.
  • Out-of band authentication. IBM MFA Out-of-Band authentication allows a user to authenticate outside of the z/OS authentication process ("out-of-band") with one or more factors to retrieve a cache token credential. You configure the authentication factors the user must provide, and the user is then presented with a user-specific IBM MFA Out-of-Band web page for the configured authentication factors. If the IBM MFA Out-of-Band authentication is successful, the user then uses the resulting cache token credential to log on.

    A cache token credential is created every time a user successfully logs on with IBM MFA Out-of-Band. If the authentication policy specifies that the cache token credential can be reused by an application, it is usable until the first cache sweep after it expires.

IBM MFA Out-of-Band provides significant advantages, as described in Benefits of IBM MFA Out-of-Band Authentication.

Out-of-Band components

There are two major components to IBM MFA Out-of-Band server authentication:
  • The IBM MFA services started task.

    The started task must run in every z/OS instance where IBM MFA Out-of-Band users will log on.

  • The IBM MFA web services started task.

    The out-of-band server interface consists of web pages served to client web browsers via the server authentication TLS connection. The web pages indicate which authentication factors are required and which factors have been satisfied.

    In a sysplex environment where the RACF® database, IBM MFA cache, and ICSF TKDS are shared across member LPARs, the web services started task needs to run only on one LPAR in the sysplex.

Benefits of IBM MFA Out-of-Band Authentication

Consider the following benefits of using IBM MFA Out-of-Band authentication:
  • You can require the user to provide multiple authentication factors. By requiring multiple authentication factors, you improve the security of the user account.
  • You can require the user to use certificate authentication, including certificates stored on Common Access Card (CAC) and Personal Identification Verification (PIV) cards.
  • Because IBM MFA Out-of-Band authentication provides an 8-character cache token credential, you can use it with applications that are strictly limited to 8-character passwords.

    For example, if you want your users to use IBM MFA with SecurID with a hardware token without a PINpad, not all applications provide a method to enter both the PIN and the 6- to 8-digit token code. By using IBM MFA SecurID with IBM MFA Out-of-Band authentication, the user can instead use the resulting 8-character cache token credential as the password.

  • You can use the cache token credential in cases where the application replays the user password. Token codes can be used only once, which can be problematic for applications that cache and replay passwords. Using the resulting 8-character cache token credential as the password negates this problem.
  • You can customize IBM MFA Out-of-Band on a per-user basis. You can decide which users must provide which factors based on your own environment and security needs. The user is then presented with a customized, user-specific IBM MFA Out-of-Band web page to log in.

Benefits of compound authentication in IBM MFA Out-of-Band

Authenticating with two or more factors is called "compound authentication." The important thing to note about compound authentication is that all configured authentication factors must succeed for the user to retrieve the in-band authentication code.

For example, if you were to configure the user for both IBM MFA with SecurID and TOTP, both authentications must succeed for the user to obtain the in-band authentication code. By requiring both a SecurID token code and the OTP token, you improve the security of the user account.

How tokens work with IBM MFA Out-of-Band

A SecurID token code is valid only while it is displayed. An TOTP OTP value is valid within its Token Period and Window constraints. These requirements remain true with IBM MFA Out-of-Band. However, the difference is the IBM MFA Out-of-Band web page validates each token according to the existing requirements.

For example, if the user provides the SecurID token, the IBM MFA Out-of-Band web page validates that token in real time. If the user then provides an OTP token, the IBM MFA Out-of-Band web page then validates that token in real time.

The user has a fixed amount of time to satisfy all authentication factors.

Types of factors

There are two types of authentication factors: strong and weak. Strong factors can be used alone or combined in IBM MFA Out-of-Band.

In contrast, weak factors must be used in combination with a strong factor.

Table 1. Types of Factors
Factor Type In-Band/Out-of-Band
RSA SecurID ACEv5 UDP Strong Both
RSA SecurID Auth API (HTTPS) AZFSIDP3 Strong Both
IBM Security Verify Access AZFISAM1 Strong Both
Yubico OTP AZFYUBI1 Strong Both
Certificate AZFCERT1 Strong Out-of-band only
Check CTC AZFCKCTC Strong in-band only
PassTicket AZFPTKT1 Weak In-band only
Password AZFPASS1 Weak Out-of-band only

IBM MFA Out-of-Band configuration requirements

Before you configure IBM MFA Out-of-Band STC, refer to the configuration roadmap in IBM MFA configuration roadmap.

Identifying the LPAR or SYSPLEX in IBM MFA Out-of-Band

If you want to identify the LPAR or sysplex you are connected to in IBM MFA Out-of-Band without having to extrapolate from the URL, you can use the translation feature described in Translating and customizing IBM MFA messages and HTML to edit translate.json or the HTML and add the LPAR or sysplex name.