News
Abstract
IBM i Integrated Multi-factor authentication (MFA) extends password authentication to include an additional authentication factor used to verify your identity.
Content
You are in: IBM i Technology Updates > IBM i Security > IBM i Integrated MFA
The IBM i integrated MFA solution incorporates a time-based one-time password (TOTP) key which is stored in the user profile and is architecturally protected similar to the password. The TOTP key is used, along with the system time, to generate a TOTP value. The TOTP value is presented as an additional factor when authenticating.
The solution works "out-of-the-box"
- No additional software required
- No agent configuration
- No server setup to another system
- No firewall port needs to be opened
True multi-factor authentication with no gap between authenticating the password and the additional factor
There are multiple levels of protection that can be configured on a profile by profile basis
The core IBM i system administration and management tools work with the most restrictive configuration
- Access Client Solutions (ACS)
- Navigator for i
- Navigator for i
The implementation is based on RFC 6238, so compatible client applications such as a PC application, smart phone application, smart watch application, or physical token that is standards compliant can be used to generate a TOTP value.
See the MFA overview topic in IBM Documentation for details on how to configure the different protection levels for individual user profiles.
System Service Tools support
System service tools (SST) and dedicated service tools (DST) support a separate MFA TOTP key implementation not connected to the operating system MFA support. The TOTP keys set for SST users have no relationship to the TOTP keys set for IBM i user profiles, specifically an SST user with a linked profile does not share a TOTP key with the linked profile. Another difference is that SST does not allow setting a frequency for providing the TOTP value, it is required every time a password is required. An SST administrator can enable MFA for SST without enabling it on the operating system.
For more information, refer to Service tools Multi-factor authentication (MFA).
[{"Type":"MASTER","Line of Business":{"code":"LOB68","label":"Power HW"},"Business Unit":{"code":"BU070","label":"IBM Infrastructure"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CHyAAM","label":"Security"}],"Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.6.0"}]
Was this topic helpful?
Document Information
Modified date:
08 April 2025
UID
ibm17229961