Bypassing IBM MFA for applications
You can bypass IBM® MFA for specific applications and specific application users. After you bypass IBM MFA, the application users must use their RACF® password to log on.
You can bypass IBM MFA for specific applications and specific application users, allow IBM MFA access only for specific applications and specific application users, and set a default IBM MFA bypass profile for applications that are not otherwise allowed or bypassed.
A valid CTC can be used as the credential on any in-band authentication request, even for authentication requests that are associated with a MFABYPASS profile.
There are three high-level scenarios for bypassing IBM MFA for specific applications or allowing IBM MFA access for specific applications, as shown in Table 1.
Scenario | Description |
---|---|
You know the application provides the RACF application name in the APPL=applname parameter from a RACROUTE REQUEST=VERIFY request and you know the applname value. | In this case, IBM MFA generates a profile of the name MFABYPASS.APPL.applname and tests users' access against this profile in the MFADEF class. If the access returned is NONE, IBM MFA authenticates the credentials as IBM MFA credentials. If the access returned is READ or better, then IBM MFA authenticates the credentials as valid RACF credentials (password or passphrase, as appropriate). No further profile checks are made. |
You know the application does not provide the RACF application name in the APPL=applname parameter from a RACROUTE REQUEST=VERIFY request, but the authentication is performed by an existing address space, such as STC, that is running with a defined user ID. | In this case IBM MFA generates a profile of the name MFABYPASS.USERID.STCUSERID and tests users' access against this profile in the MFADEF class. If the access returned is NONE, IBM MFA authenticates the credentials as IBM MFA credentials. If the access returned is READ or better, then IBM MFA authenticates the credentials as valid RACF credentials (password or passphrase, as appropriate). No further profile checks are made. |
You know the application does not provide the RACF application name in the APPL=applname parameter from a RACROUTE REQUEST=VERIFY request and the authentication is performed by an address space, such as STC, that is not running with a defined user ID or it is taking place during address space creation. | In this case IBM MFA generates a profile of the name MFABYPASS.DEFAULT and tests users' access against this profile in the MFADEF class. If the access returned is NONE, IBM MFA authenticates the credentials as IBM MFA credentials. If the access returned is READ or better, then IBM MFA authenticates the credentials as valid RACF credentials (password or passphrase, as appropriate). No further profile checks are made. |
MFABYPASS.APPL.*
and
MFABYPASS.USERID.*
with an access level of UACC(NONE) and no access list to ensure
that no unintended bypasses of IBM MFA occur.