Knowledge Article View - Customer Support

IBM Z Multi-Factor Authentication supports both In-Band and Out-of-Band authentication.

Out-of-Band authentication enables you to authenticate on a user-specific application with one or more factors to retrieve a cache token credential that you use to log on. Out-of-Band authentication is described in the IBM Multi-Factor Authentication for z/OS User's Guide. MFA Out-of-Band authentication requires you to authenticate "out-of-band" with one or more factors to retrieve an In-Band authentication code called a "cache token credential."
For In-Band authentication, you generate a token and use that token directly to log on (directly into the application).

In-Band authentication is not supported until SAS^® 9.4M9 (TS1M9). Although Out-of-Band authentication is not officially supported until SAS 9.4M9, it will work with SAS/CONNECT^® and SAS/SHARE^® pre-SAS 9.4M9 if the MFA policy is set to allow "REUSE" of the token.

The RACF user account must be configured for IBM MFA Out-of-Band and a policy that defines the factors. The user must supply the following details: whether the cache token credential can be reused and how long it can be reused. If the user is configured for multiple factors, then all configured authentication factors must succeed to receive an In-Band authentication code.

For details about SAS and z/MFA, see About IBM Z Multi-Factor Authentication (MFA).

When you troubleshoot IBM MFA on z/OS problems, here is a list of questions to consider:

How is the RACF user ID configured?
Issue the RACF listuser (lu) command for the user to see whether the user ID is MFA enabled.
What factors are configured for the user?
Is the SAS^®9 SVC installed?
Is PASSPHRASE support enabled for the user?
What is the length of the cache token?
Enable MFA tracing using the operator command:
F <mfa stc name>,STC SET TRACE LEVEL 2 /* levels 0 -> 3 */
Enable enhanced logging for the SAS/CONNECT spawner.

Some applications have authentication properties that can prevent certain MFA factors from working properly:

No passphrase support – Some MFA authenticators can generate chars tokens that are longer than eight characters.
No password change field – Certain MFA factors can use the Password Change field to change an RSA SecurID PIN during logon.
PassTickets authenticators – This is presently not supported by MFA.
Replay of passwords – Some MFA credentials are different at every logon and cannot be replayed.

Mainframe Multi-Factor Authentication (MFA) supported under z/OS