Who knows more about protecting Z than Z people?

Frequently asked questions

Get answers to the most commonly asked questions about this product.


Getting started with this product

What are the system requirements for IBM Z Multi-Factor Authentication?

See the bottom of the IBM Z MFA Details tab for hardware, system and software requirements.

How does IBM Z Multi-Factor Authentication work with RADIUS?

Support for generic RADIUS, SafeNet RADIUS, and RSA SecurID RADIUS is included. In all cases, the RADIUS server determines whether the user's credentials are valid and, if so, returns success to RACF. RACF then resumes normal control and completes the authentication and authorization process.

Other common questions

What is IBM Z Multi-Factor Authentication (IBM Z MFA)?

IBM Z MFA works with the RACF Security Server infrastructure to create a layered defense by requiring selected z/OS users to logon with multiple authentication factors. IBM Z MFA provides alternate authentication mechanisms in place of the standard z/OS password.

Who is IBM Z Multi-Factor Authentication for?

Any organization running critical processing on IBM Z. To protect privacy and counter insider threats, social engineering, phishing attacks, and other vulnerabilities, MFA has become a requirement or component for regulatory compliance and best practice frameworks (e.g., PCI DSS, NIST, GDPR, DFS).

How does IBM Z Multi-Factor Authentication work with RACF?

RACF users can be configured to require authentication through IBM Z MFA. For these select users, RACF will call IBM Z MFA to help make the authentication decision during logon processing.

What additional factors does IBM Z Multi-Factor Authentication work with?

IBM Z MFA supports a wide range of authentication systems including: RADIUS-based factors, timed one-time password (TOTP) such as IBM Verify and TouchToken, certificate authentication (PIV/CAC users), and proprietary protocols such as RSA.

What is multi-factor authentication (MFA) or 2FA?

An MFA system requires multiple factors to be presented during logon in order to verify a user's identity. Each authentication factor must be from a separate category of credential types: 1) Something you know, 2) Something you have, and 3) Something you are.

What is IBM Resource Access Control Facility (RACF)?

RACF is a component of the Security Server for z/OS and is used to protect resources. RACF provides security by identifying and verifying users, authorizing users to access protected resources, and recording and reporting access attempts.

What is RADIUS?

RADIUS is a flexible IETF standard protocol that strengthens authentication, access and tracking. Generic RADIUS compatibility allows users to connect to a server using the protocol. Vendor integration (such as IBM Verify, Gemalto SafeNet and RSA SecureID) allow for more advanced integration.

What is in In-band vs Out-of-Band (OOB) authentication?

In-band authentication is when the user presents credentials directly into the application. IBM Z MFA Out-of-Band authentication allows a user to authenticate outside of the z/OS authentication process with one or more factors to retrieve a cache token credential.