Enabling only IBM MFA Out-of-Band login
Set the value of the CTC-PROMPT-ONLY field to make IBM® MFA Out-of-Band authentication mandatory or optional. The CTC-PROMPT-ONLY field setting affects all users and all IBM MFA authentication methods on the PAM client.
About this task
- If you want the users on an IBM MFA client system to use only the IBM MFA Out-of-Band authentication type, set the CTC-PROMPT-ONLY setting to Y.
- If you want users to be able to log in with both the IBM MFA Out-of-Band and in-band authentication types, set the CTC-PROMPT-ONLY setting to N. See Using in-band authentication with PAM for using in-band authentication.
- You can use the cache token credential in cases where the application replays the user password. Token codes can be used only once, which can causes issues in applications that cache and replay passwords.
- You can set the user to use certificate authentication for authenticating to the IBM MFA Out-of-Band web page, including certificates stored on Personal Identification Verification (PIV) and Common Access Card (CAC) cards.
- The IBM MFA Out-of-Band web page interface is typically more convenient to use than satisfying multiple authentication methods in-band.
Note: Do not add preceding or trailing spaces to an entry. They can result in an
Error processing MFA request error.