This document describes basic requirements and expected behaviors under the MFA support in IBM Explorer for z/OS and IDz.
IBM Explorer for z/OS (z/OS Explorer) added support for Multi-Factor Authentication (MFA) in September 2017.
- v220.127.116.11 PTF UI50538
- v18.104.22.168 PTF UI51053
This information documents basic requirements and expected behaviors:
- MFA must be configured to allow for Passticket usage after initial authentication.
- Passtickets will be used during the whole lifetime of a user session, so the window in which Passtickets are accepted after initial authentication should be big enough to cover a typical workday, and must be at least long enough to cover the logon process.
- Once Passticket usage fails, the client connection will be severed and the user must re-logon (and thus re-authenticate). This behavior is similar to users being disconnected due to inactivity time-out.
- If MFA is set up to prompt for a second authentication, it will show to the user as though the first authentication failed, even if it was successful.
IBM Developer for z Systems (IDz) relies on z/OS Explorer for authentication, and is therefore able to support MFA without additional requirements, except the requirement for a z/OS Explorer service level that supports MFA.
Original Publication Date
15 June 2018
02 August 2018