Configuring IBM MFA Password Authentication
You can configure IBM® MFA for password and passphrase authentication. IBM MFA Password Authentication is a weak factor and requires the user to enter their RACF® password or passphrase in addition to at least one other strong authentication factor. IBM MFA Password Authentication is supported only in IBM MFA Out-of-Band.
IBM MFA Password Authentication credentials are used as entered
The current and new credentials values specified for AZFPASS1 are used exactly as entered, including any leading and trailing blanks. Leading or trailing blanks will cause authentication failures if a password is being used or a passphrase that does not have the same leading or trailing blanks is being used. If a password is being changed, leading or trailing blanks in the new password will cause it to be rejected as invalid. If a passphrase is being changed, leading or trailing blanks will be included in the new passphrase, and will cause it to be unusable by any applications, such as TSO, which remove leading or trailing blanks from a passphrase before using it to authenticate.
The IBM MFA Password Authentication credential considerations apply in the following workflows:
- When the user is provisioned for AZFPASS1 and enters their password.
- When the user attempts to change their password with the pwChange.html web interface.
- When the user attempts to reset their password with the pwReset.html web interface.