Multi-factor authentication concepts
IBM® MFA relies on multiple authentication factors.
A multi-factor authentication system requires that multiple authentication factors be presented during logon in order to verify a user's identity. Each authentication factor must be from a separate category of credential types.
Requiring multiple authentication factors improves the security of your user account.
- Out-of-band authentication allows you to authenticate on a user-specific web page with one or more factors to retrieve a cache token credential that you use to log in. Out-of-band authentication is described in IBM MFA Out-of-Band concepts. Out-of-band authentication methods are described in Part 2: Out-of-Band Authentication.
- For in-band authentication, you directly log on. In-band authentication methods are described in Part 3: In-Band Authentication.
IBM MFA with SecurID
In the simplest terms, for IBM MFA with SecurID, the RSA Authentication Manager determines whether the user's credentials are valid and, if so, returns success to RACF®. RACF then resumes control and completes the authentication and authorization process as usual.IBM MFA with SecurID requires:
- "Something you have." (The hardware or software RSA SecurID token.)
- "Two things you know." (An RSA SecurID Personal Identification Number (PIN), and something you know, the generated token code.)
IBM MFA with RADIUS
IBM MFA includes support for "generic" RADIUS, SafeNet RADIUS, and RSA SecurID RADIUS. Generic RADIUS refers to the RADIUS server of your choice that returns a simple allowed/denied response. In all cases, the RADIUS server determines whether the user's credentials are valid and, if so, returns success to RACF. RACF then resumes control and completes the authentication and authorization process as usual.TOTP
For TOTP, you can log in by using an application such as IBM Verify, Google Authenticator, Duo Mobile, and so forth on an Android or Apple iOS device to generate a hashed, timed one-time password (OTP), and then use this password together with your z/OS® user name to log on to the z/OS system.
The OTP password generated by the application must match the OTP password generated by the TOTP component on the z/OS server. OTP passwords are regenerated at regular intervals. OTO passwords that are generated from the same secret key are identical if they are generated within a predetermined "token period" time value, which your security administrator can set at intervals of 15, 30, or 60 seconds, and a "window", which your security administrator can set from 1 to 10.
- "Something you have." (The Android or Apple iOS device, with the provisioned QR code application.)
- "Something you are." (Your fingerprint.)
Certificate Authentication
Certificate Authentication is a general purpose certificate authentication that includes Common Access Card (CAC) and Personal Identification Verification (PIV) cards. Certificate authentication uses the client identity certificate to authenticate the user.- "Something you have." (The approved certificate, typically from a PIV or CAC card or other smart card.)
- "Something you know." (The Personal Identification Number (PIN).)
Yubico OTP
The OTP password generated by the Yubikey token must match the OTP password generated by the Yubico OTP component on the z/OS server. OTP passwords are generated when you trigger the Yubikey token.
- "Something you have." (The hardware Yubikey token.)
- "Something you know." (Yubico OTP should be used with compound in-band authentication or with IBM MFA Out-of-Band authentication. )
LDAP
You can use your LDAP password to authenticate with IBM MFA.
- "Something you know." (The LDAP password.)
- "Something else you know or have." (LDAP should be used with compound in-band authentication or with IBM MFA Out-of-Band authentication. )