Frequently asked questions

Get answers to the most commonly asked questions about this product.

IBM Z MFA works with the RACF Security Server infrastructure to create a layered defense by requiring selected z/OS users to logon with multiple authentication factors. IBM Z MFA provides alternate authentication mechanisms in place of the standard z/OS password.

Find out more

Any organization running critical processing on IBM Z. To protect privacy and counter insider threats, social engineering, phishing attacks, and other vulnerabilities, MFA has become a requirement or component for regulatory compliance and best practice frameworks (e.g., PCI DSS, NIST, GDPR, DFS).

RACF users can be configured to require authentication through IBM Z MFA. For these select users, RACF will call IBM Z MFA to help make the authentication decision during logon processing.

IBM Z MFA supports a wide range of authentication systems including: RADIUS-based factors, timed one-time password (TOTP) such as IBM Verify and TouchToken, certificate authentication (PIV/CAC users), and proprietary protocols such as RSA.

See the bottom of the IBM Z MFA Details tab for hardware, system and software requirements.

Find out more

Support for generic RADIUS, SafeNet RADIUS, and RSA SecurID RADIUS is included. In all cases, the RADIUS server determines whether the user's credentials are valid and, if so, returns success to RACF. RACF then resumes normal control and completes the authentication and authorization process.

An MFA system requires multiple factors to be presented during logon in order to verify a user's identity. Each authentication factor must be from a separate category of credential types: 1) Something you know, 2) Something you have, and 3) Something you are.

Find out more

RACF is a component of the Security Server for z/OS and is used to protect resources. RACF provides security by identifying and verifying users, authorizing users to access protected resources, and recording and reporting access attempts

Find out more

RADIUS is a flexible IETF standard protocol that strengthens authentication, access and tracking. Generic RADIUS compatibility allows users to connect to a server using the protocol. Vendor integration (such as IBM Verify, Gemalto SafeNet and RSA SecureID) allow for more advanced integration.

Find out more

In-band authentication is when the user presents credentials directly into the application. IBM Z MFA Out-of-Band authentication allows a user to authenticate outside of the z/OS authentication process with one or more factors to retrieve a cache token credential.

Find out more