IBM Z Multi-Factor Authentication supports both In-Band and Out-of-Band authentication.

• Out-of-Band authentication enables you to authenticate on a user-specific application with one or more factors to retrieve a cache token credential that you use to log in. Out-of-Band authentication is described in the IBM Multi-Factor Authentication for z/OS User's Guide. MFA Out-of-Band authentication requires you to authenticate "out-of-band" with one or more factors to retrieve an In-Band authentication code called a "cache token credential." 
   
• For In-Band authentication, you generate a token and use that token directly to log on (directly into the application).

In-Band authentication is currently not supported with the SAS/CONNECT^® spawner on z/OS and is being reviewed for a future release of SAS. Although Out-of-Band authentication is not supported, it should work with SAS/CONNECT and SAS/SHARE^®.

The RACF user account must be configured for IBM MFA Out-of-Band and a policy that defines the factors; the user must supply the following details: whether the cache token credential can be reused and how long it can be reused. If the user is configured for multiple factors, then all configured authentication factors must succeed to receive an In-Band authentication code. 

When you troubleshoot IBM MFA on z/OS problems, here is a list of questions to consider:

• How is the RACF user ID configured? Issue the RACF listuser (lu) command for the user.
• What factors are configured for the user?
• Is the SAS^®9 SVC installed?
• Is PASSPHRASE support enabled for the user?
• What is the length of the cache token?
• Enable MFA tracing using the operator command: F <mfa stc name>,STC SET TRACE LEVEL 2      /* levels 0 -> 3  */ 
• Enable enhanced logging for the SAS/CONNECT spawner.

Some applications have authentication properties that can prevent certain MFA factors from working properly:

• No passphrase support – Some MFA authenticators can generate chars tokens that are longer than eight characters.
• No password change field – Certain MFA factors can use the Password Change field to change an RSA SecurID PIN during logon.
• PassTickets authenticators – This is presently not supported by MFA.
• Replay of passwords – Some MFA credentials are different at every logon and cannot be replayed.