IBM MFA Out-of-Band authentication
IBM® MFA Out-of-Band authentication requires you to authenticate "out-of-band" with one or more factors to retrieve a cache token credential, which you then use as your password with a z/OS® application.
Your administrator must configure your account for IBM MFA Out-of-Band and will tell you whether you must use the IBM MFA Out-of-Band web page to log on.
The administrator will provide you with the URL to use.
When prompted by the IBM MFA Out-of-Band web page, you must provide the required token(s). How you obtain the required token varies by token type.
You follow the same process and provide the same information as you would for these factors without IBM MFA Out-of-Band, except that you enter the tokens on the login web page and not in your z/OS application.
IBM MFA with SecurID
- For a SecurID token without a PINpad, get the 6- to 8-digit token code displayed by the token.
- For a SecurID token with a PINpad (hardware or soft token), enter your PIN in the token and get the displayed passcode.
- Provide it to the IBM MFA Out-of-Band web page when prompted.
- Use the generated cache token credential as your password with the z/OS application.
TOTP
- Install a QR code application such as IBM Verify, Google Authenticator, or Duo Mobile on your device.
- Open the TOTP start page provided by your administrator in
a desktop web browser and log in with your user name and password. For example:
A page that contains the AuthURL URL and the encoded QR code is displayed.https://hostname:6793/AZFTOTP1/genericStart
- Point your device at the generated QR code and scan it with the application. The application displays the TOTP code.
- Enter the TOTP code on the web page and click Generic TOTP Enrollment.
If an error occurs, you are prompted to retry enrollment. If the error persists, your administrator may need to make additional tag settings changes to your account. If the enrollment is successful, the message "New TOTP token has been confirmed and is ready to use." is displayed.
- Provide the TOTP code to the IBM MFA Out-of-Band web page when prompted.
- Use the generated cache token credential as your password with the z/OS application.
generic RADIUS
How you log in depends entirely on how your administrator has configured the RADIUS server. You may need to supply a valid passcode, PIN, or some other credential. Your administrator will provide you with this information.- Provide the RADIUS credential to the IBM MFA Out-of-Band web page when prompted.
- Use the generated cache token credential as your password with the z/OS application.
SafeNet RADIUS
Your administrator will tell you which SafeNet configuration applies to you.- In challenge-response mode, enter any single alphabetic character in the IBM MFA Out-of-Band passcode field. Copy the generated challenge and enter it in the
MobilePASS application to generate a passcode.
In Quick Log mode, you do not have to perform this step.
- Get the 6- to 8-digit token passcode displayed by the MobilePASS token.
- For a "server-side user select" PIN, provide your PIN followed by the passcode to the IBM MFA Out-of-Band web page when prompted.
For a "user selected" PIN, provide only the passcode to the IBM MFA Out-of-Band web page when prompted.
- Use the generated cache token credential as your password with the z/OS application.
Certificate Authentication
- When prompted by the IBM MFA Out-of-Band web page, select the client
certificate you want to use to authenticate yourself. Your security administrator will typically
provide guidance on which certificate to use. Note: If you are using Internet Explorer, be aware that the Windows Internet Options "Don't prompt for client certificate selection when only one certificate exists" setting can result in your not having to choose a certificate. The "Don't prompt for client certificate selection when only one certificate exists" setting is typically controlled by the system administrator.
- For PIV/CAC cards, you must then enter your valid PIN.
- Use the generated cache token credential as your password with the z/OS application.
Yubico OTP
- Use your YubiKey to generate an OTP in the Yubico OTP credential field
- Use the generated cache token credential as your password with the z/OS application.
LDAP
- Use your LDAP in the Enter LDAP password. field
- Use the generated cache token credential as your password with the z/OS application.