Configuring Password Fallback
If you configure user accounts with the password fallback parameter, users can log in in-band with their z/OS® password or passphrase if the started task is down. The password fallback mechanism is provided as a fail safe authentication method.
About this task
- The IBM® MFA started task is down.
- Strong factors that can be used in-band (see Table 1) can return a COULD_NOT_EVALUATE
reason code. The most likely cause of this reason code is
the external server (RADIUS, RSA SecurID, and so forth)
being unavailable. In this case, the enterprise security
manager (ESM) attempts to evaluate the user's last input
credential as the SAF password. Note: Because the user's last-input credential is likely to be the IBM MFA credential, this action can increment the user's login failure count. If the user is not aware that the external server is not available, repeated attempts to log in with the IBM MFA credential can result in the user account being suspended.
Password fallback is a user setting that applies to all in-band IBM MFA authentications performed with that user ID, and the most recent setting takes precedence. That is, if you set PWFALLBACK for a user in one authentication factor and later set NOPWFALLBACK or accept the default for that same user in another factor, NOPWFALLBACK applies to all factors. This is true regardless of whether the factors are active for the user.
Enter the following command to set password fallback:
ALU [Login ID] MFA(PWFALLBACK|NOPWFALLBACK)Where PWFALLBACK configures password fallback for the user. If you omit this parameter, the default is NOPWFALLBACK.
Enter the following command to display IBM MFA
information for a user profile:
LISTUSER [Login ID] MFA
MULTIFACTOR AUTHENTICATION INFORMATION: --------------------------------------- PASSWORD FALLBACK IS NOT ALLOWED FACTOR = AZFTOTP1 STATUS = ACTIVE FACTOR TAGS = REGSTATE:PROVISIONED KEYLABEL:AZF.MDHUNTA.D13D317557E799C8 ALG:SHA512 CVALUE:49071141 NUMDIGITS:7 PERIOD:30 WINDOW:3