TOTP supports common Quick Response (QR) codes on both Android and Apple iOS devices.
Before you begin
Note: Not all TOTP client applications support all combinations
of token length, period, or digest algorithm. In addition, not all TOTP applications
display errors when importing combinations of TOTP parameters that the application
does not support. IBM recommends that you confirm that a specific combination of
token length, period, and digest algorithm is compatible with a specific TOTP
application prior to rolling out AZFTOTP1 in production environments.
Procedure
-
Instruct the user to open the TOTP start page in a desktop web browser and log in with their
z/OS® user name and password:
https://hostname:6789/AZFTOTP1/genericStart
A page that contains the AuthURL and the encoded QR code is
displayed.
-
Instruct the user to point their device at the generated QR code and scan it with an application such as IBM® Verify, Google Authenticator, Duo Mobile, and so forth.
The application displays the TOTP code.
-
Instruct the user to enter the TOTP code on the web page and click Generic TOTP
Enrollment.
-
If an error occurs, the user is prompted to retry enrollment. In this case, for the greatest
compatibility with QR applications, first set the following tag values:
- ALG SHA1
- NUMDIGITS 6
- PERIOD 30
ALU [Login ID] MFA(FACTOR(AZFTOTP1)
TAGS(ALG:SHA1 NUMDIGITS:6 PERIOD:30))
Instruct the user to click Retry enrollment.
-
If the enrollment is successful, the message "New TOTP token has been confirmed and is ready to
use." is displayed.
-
The user must now use this TOTP token code to log on to their z/OS application.