Bypassing IBM MFA for applications

You can bypass IBM® MFA for specific applications and specific application users. After you bypass IBM MFA, the application users must use their RACF® password to log on.

You can bypass IBM MFA for specific applications and specific application users, allow IBM MFA access only for specific applications and specific application users, and set a default IBM MFA bypass profile for applications that are not otherwise allowed or bypassed.

Important: If you bypass IBM MFA for an application or application users, make sure that you tell the application users to log on with their RACF password or a valid cache token credential (CTC).

A valid CTC can be used as the credential on any in-band authentication request, even for authentication requests that are associated with a MFABYPASS profile.

There are three high-level scenarios for bypassing IBM MFA for specific applications or allowing IBM MFA access for specific applications, as shown in Table 1.

Table 1. Bypass Scenarios
Scenario Description
You know the application provides the RACF application name in the APPL=applname parameter from a RACROUTE REQUEST=VERIFY request and you know the applname value. In this case, IBM MFA generates a profile of the name MFABYPASS.APPL.applname and tests users' access against this profile in the MFADEF class. If the access returned is NONE, IBM MFA authenticates the credentials as IBM MFA credentials. If the access returned is READ or better, then IBM MFA authenticates the credentials as valid RACF credentials (password or passphrase, as appropriate). No further profile checks are made.
You know the application does not provide the RACF application name in the APPL=applname parameter from a RACROUTE REQUEST=VERIFY request, but the authentication is performed by an existing address space, such as STC, that is running with a defined user ID. In this case IBM MFA generates a profile of the name MFABYPASS.USERID.STCUSERID and tests users' access against this profile in the MFADEF class. If the access returned is NONE, IBM MFA authenticates the credentials as IBM MFA credentials. If the access returned is READ or better, then IBM MFA authenticates the credentials as valid RACF credentials (password or passphrase, as appropriate). No further profile checks are made.
You know the application does not provide the RACF application name in the APPL=applname parameter from a RACROUTE REQUEST=VERIFY request and the authentication is performed by an address space, such as STC, that is not running with a defined user ID or it is taking place during address space creation. In this case IBM MFA generates a profile of the name MFABYPASS.DEFAULT and tests users' access against this profile in the MFADEF class. If the access returned is NONE, IBM MFA authenticates the credentials as IBM MFA credentials. If the access returned is READ or better, then IBM MFA authenticates the credentials as valid RACF credentials (password or passphrase, as appropriate). No further profile checks are made.
Note: It is strongly recommended that you define profiles MFABYPASS.APPL.* and MFABYPASS.USERID.* with an access level of UACC(NONE) and no access list to ensure that no unintended bypasses of IBM MFA occur.