Home Z software Z security Multi-Factor Authentication Features
Enhance login security throughout your enterprise with extended mainframe user and token authenticate
Try it out
a grid pattern of dots on a dark background
IBM Z® Multi-Factor Authentication 2.2 features

IBM Z Multi-Factor Authentication (MFA) 2.2 enhances authentication modes and support to strengthen your enterprise security.

Pluggable authentication modules

With these modules for use with Linux on Z architecture, administrators of supported Linux distributions can configure PAM-compatible Linux applications to require that users satisfy an MFA policy before access to the application is granted.

MFA configuration option to request browser clients receiving cache token credentials mask the display of such credentials

The new configuration option is used in combination with new server resources to honor this setting in IBM Z MFA user interfaces for web-based policy authentication on z/OS and Linux.

Configuration of multiple instances of select MFA factors

Administrators on IBM z/OS are now able to configure multiple instances of select MFA factors, which provides improved flexibility when a single z/OS external security manager (ESM) database supports disparate tenant user communities.

“Console Modify” command

The new "Console Modify" command can be used to force the invalidation of all cache token credentials currently in the IBM Z MFA cache for a given user ID (z/OS only).


Support for RSA SecurID authentication

Support for RSA SecurID authentication on z/OS and Linux is provided by way of the RSA REST API.


Web-based ESM password reset

Web-based password reset can be enabled for users who have forgotten their ESM password but are able to successfully authenticate to an IBM Z MFA Policy (z/OS only).

Documentation and formal support for customer use of policy authentication

Formal support is now available for web interfaces on z/OS and Linux that were previously internal and undocumented.

Compare z/OS® versus z/VM® and Linux® on Z features

All versions of IBM Z MFA secure user logins to z/OS, using parts that run on z/OS. IBM Z MFA 2.1 introduced protection for user logins to z/VM. IBM Z MFA 2.2 can protect Linux on Z Architecture applications that support the pluggable authentication module (PAM) framework, using PAM modules that run on Linux.

IBM Z MFA 2.2 supports many authentication types and integration features. A partial list of supported features and integrations is included in the table below.

  • Listings with one asterisk (*) indicate features new in version 2.2.
  • Listing with two asterisks (**) indicate authentication types evaluated directly within IBM Z MFA without the use of an external network service. They allow time-based, one-time passwords.
Authentication features


z/VM and Linux on Z

Multiple authentication types*











RSA SecurID with ACEv5 UDP












Additional features

Use most features supported on z/OS on z/VM all under one license. Order through ShopZ, get both operating systems, choose which one to install, and use your existing MFA infrastructure.

Simplify MFA configurations in large environments with Version 2.1, which supports the production of secure credentials that can be used both within and beyond the boundary of the sysplex where the credential was generated.

Introduce factor extensions to components of IBM RACF®, ACF2 and TopSecret user-related commands. Extend Security Authorization Facility (SAF) programming interfaces to define supported tokens during user authentication requests, enabling MFA-aware applications to specify factors in addition to RACF, ACF2 and TopSecret passwords or phrases. Audit extensions and provision and define MFA tokens by using RACF, ACF2 and TopSecret user-related commands.

Use any factor based on the RADIUS standard protocol through the IBM Z MFA RADIUS gateway. Support RSA SecurID Token, with time-based algorithm, hard token or software-based tokens. RSA SecureID and Gemalto SafeNet implementations offer more robust and granular messaging.

In addition to the existing factor support, IBM Z MFA includes IBM Cloud Identity Verify (CIV) integration using the CIV RADIUS gateway and IBM Z MFA generic RADIUS protocol factor. CIV integration supports compound in-band authentication, where the CIV-generated OTP can be used with a RACF password or password phrase.

IBM TouchToken enables user authentication to be directly evaluated on z/OS to ensure a means of enforcing two-factor authentication with no additional off-platform validation. Generic TOTP support includes generic TOTP token applications, including standard-compliant TOTP third-party applications on Android and Microsoft Windows devices.

Enforce compound authentication, where more than one factor is required in the authentication process. Compound in-band authentication requires the user to supply a RACF credential (password or password phrase) in conjunction with a valid MFA credential.

Store authentication data in the RACF, ACF2 or TopSecret database, define and alter MFA data with RACF, ACF2 or TopSecret commands, and unload non-sensitive MFA fields in the database with DBUNLOAD utility. z/OS Security Server RACF, ACF2 and TopSecret enablement consists of updates to the database, commands, callable services, login processing and utilities.

Initiate authentication with IBM Security Access Manager (ISAM) by using the “pick a One-Time Passcode (OTP) procedure.” The OTP is used instead of the password when logging in to z/OS. ISAM integration supports compound in-band authentication, where the ISAM-generated OTP can be used in conjunction with the user's RACF password or passphrase.

Use a variety of Yubikey devices that support the Yubico OTP algorithm. IBM Z MFA does not require an external authentication server, and all OTP evaluation is performed on the z/OS system by the IBM Z MFA started task.

Establish the foundation for supporting any certificate-based authentication system. Enable authentication for Personal Identity Verification (PIV) and Common Access Card (CAC) smart cards commonly used in federal government.

Enable exempt MFA processing for applications with authentication properties that can prevent MFA from working properly. Define SAF profiles that will mark certain applications as excluded from MFA and allow a user to log in to that application with a password, password phrase or PassTicket. Conversely, use SAF profiles to create inclusion policies to ease adoption of MFA for selected users and applications.

Take the next step

Contact us to discuss your IBM Z Multi-Factor Authentication requirements and get pricing information. Try out the product before you buy.

Try it out
Expert resources to help you succeed Community Product documentation