Configuring Password Fallback

If you configure user accounts with the password fallback parameter, users can log in in-band with their z/OS® password or passphrase if the started task is down. The password fallback mechanism is provided as a fail safe authentication method.

About this task

Password fallback applies in the following two situations:
  • The IBM® MFA started task is down.
  • Strong factors that can be used in-band (see Table 1) can return a COULD_NOT_EVALUATE reason code. The most likely cause of this reason code is the external server (RADIUS, RSA SecurID, and so forth) being unavailable. In this case, the enterprise security manager (ESM) attempts to evaluate the user's last input credential as the SAF password.
    Note: Because the user's last-input credential is likely to be the IBM MFA credential, this action can increment the user's login failure count. If the user is not aware that the external server is not available, repeated attempts to log in with the IBM MFA credential can result in the user account being suspended.

Password fallback is a user setting that applies to all in-band IBM MFA authentications performed with that user ID, and the most recent setting takes precedence. That is, if you set PWFALLBACK for a user in one authentication factor and later set NOPWFALLBACK or accept the default for that same user in another factor, NOPWFALLBACK applies to all factors. This is true regardless of whether the factors are active for the user.

Procedure

  1. Enter the following command to set password fallback:
    ALU [Login ID] MFA(PWFALLBACK|NOPWFALLBACK)
    Where PWFALLBACK configures password fallback for the user. If you omit this parameter, the default is NOPWFALLBACK.
  2. Enter the following command to display IBM MFA information for a user profile:
    LISTUSER [Login ID] MFA
    MULTIFACTOR AUTHENTICATION INFORMATION:
    ---------------------------------------
    PASSWORD FALLBACK IS NOT ALLOWED
    FACTOR = AZFTOTP1
    STATUS = ACTIVE
    FACTOR TAGS =
    REGSTATE:PROVISIONED
    KEYLABEL:AZF.MDHUNTA.D13D317557E799C8
    ALG:SHA512
    CVALUE:49071141
    NUMDIGITS:7
    PERIOD:30
    WINDOW:3