Logging in with valid PIN and passphrase with compound in-band authentication

You can log in to TSO/E with a valid PIN when using pass phrases. Your administrator must have configured your account for IBM® MFA Compound In-Band. This use case requires a hardware token with a PINpad.

About this task

Important: If your RACF® password has expired, you are prompted during the compound in-band login session to change your RACF password. However, after attempting to change your password, the IBM MFA credentials are then replayed, which causes the password change operation to fail. In this case, begin a new TSO/E session, log in with your existing password and IBM MFA credentials, and then use the -New Password option on the panel to change your RACF password.

This alternate login flow is not needed if your administrator has configured your account for identity tokens. Identity tokens are configured on your behalf, and are not something you directly use.

Procedure

Perform the following steps:

  1. Begin to log in to TSO/E with your user name.
  2. Enter your PIN in the SecurID token and generate a passcode.
  3. Enter the 6- to 8-digit passcode displayed by the SecurID token, followed by the separator, followed by your passphrase or password in the Password field.
    Note: Your security administrator can reverse the order in which you enter the credentials, so that you enter your passphrase or password first, followed by the separator. Consult your security administrator for guidance.
  4. Press Enter.