IBM Multi-Factor Authentication for z/OS features

Extensions for RACF with auditing and provisioning

Introduce factor extensions to components of IBM RACF® user-related commands. Extend Security Authorization Facility (SAF) programming interfaces to define supported tokens during user authentication requests—enabling MFA-aware applications to specify factors in addition to RACF passwords or phrases. Audit extensions and provision and define MFA tokens using RACF user-related commands.

Centralized RACF database support

Store authentication data in the RACF database, define and alter MFA data in RACF with RACF commands, and unload non-sensitive MFA fields in the RACF database with DBUNLOAD utility. z/OS® Security Server RACF enablement consists of updates to the RACF database, RACF commands, callable services, logon processing and RACF utilities.

RSA SecurID and IBM TouchToken support

Support RSA SecurID Token, with time-based algorithm, hard token or software-based tokens and IBM TouchToken for Timed One Time use Password (TOTP) generator (available for iOS) tokens. IBM TouchToken enables user authentication to be directly evaluated on z/O S to ensure a means of enforcing two-factor authentication with no additional validation needed off platform.

PIV and CAC card support

Enable authentication for Personal Identity Verification (PIV) and Common Access Card (CAC) smart cards commonly used in federal government. Establish the foundation for supporting other certificate-based, smart card authentication tokens.

Support for application exemption

Exempt MFA processing for applications with authentication properties that can prevent MFA from working properly. Define SAF profiles that will mark certain applications as excluded from MFA and allow a user to logon to that application with password, password phrase or PassTicket. Conversely, use SAF profiles to create inclusion policies to ease adoption of MFA for selected users and applications.

Get the product details

Read the solution brief

Technical details

Software requirements

IBM Multi-Factor Authentication for z/OS requires:

  • z/OS V2.1 with z/OS Security Server with PTFs for APAR OA48359
  • z/OS V2.2 with z/OS Security Server with PTFs for APAR OA48359
  • RSA Authentication Manager 8.1 for RSA SecurID exploitation

Hardware requirements

IBM Multi-Factor Authentication for z/OS requires one of the following IBM Z® systems servers:

  • z13® or z13s™
  • zEnterprise® EC12
  • zEnterprise BC12
  • zEnterprise 196
  • zEnterprise 114

Technical specifications

Prerequisites for IBM Multi-Factor Authentication for z/OS:

  • z/OS® Security Server RACF with PTF for APAR OA48359, when available
  • RSA Authentication Manager 8.1 for RSA SecurID exploitation