Multi-factor authentication concepts

IBM MFA relies on multiple authentication factors.

Multi-factor authentication is a method of computer access control in which a user is granted access only after successfully providing several authentication factors to an authentication mechanism. The authentication factors are typically from at least two of the following categories: knowledge (something they know), possession (something they have), and inheritance (something they are).

Multiple authentication factors improves the security of user accounts.

Consider the following IBM MFA authentication flow:
  1. You create an IBM MFA authentication policy for users and provide them with the policy URL.
  2. The user navigates to the policy URL and provides credentials that satisfy the authentication methods of the policy.
  3. The IBM MFA server provides an authentication token called a cache token credential (CTC).
  4. The user navigates to the z/VM® LOGON screen.
  5. The user enters their user ID and pastes the authentication token in to the password field.
  6. The ESM communicates with the IBM MFA server to verify the authentication token.
  7. If verification is successful, the ESM authorizes the logon.

IBM MFA for RSA SecurID authentication method

While authenticating by using the IBM MFA for RSA SecurID authentication method, the RSA Authentication Manager determines whether the user's credentials are valid, and if valid returns success to IBM MFA. The operating system then resumes control and completes the authentication and authorization process as usual.

The IBM MFA for RSA SecurID authentication method requires the following credentials:

  • Something you have: The hardware or software RSA SecurID token.
  • Two things you know: An RSA SecurID Personal Identification Number (PIN), and something you know.

IBM MFA for PIV/CAC or X.509 Certificate method

The IBM MFA for PIV/CAC or X.509 Certificate method is a general-purpose certificate authentication that includes Personal Identification Verification (PIV) and Common Access Card (CAC) cards. Certificate authentication uses the client identity certificate to authenticate the user.
The IBM MFA for PIV/CAC or X.509 Certificate method requires the following credentials:
  • Something you have: The approved certificate, typically from a PIV or CAC card or other smart card.
  • Something you know: The Personal Identification Number (PIN).

IBM MFA for RADIUS authentication methods

IBM MFA includes support for "generic" RADIUS, SafeNet RADIUS, and RSA SecurID RADIUS. Generic RADIUS refers to the RADIUS server of your choice that returns a simple allowed or denied response. In all cases, the RADIUS server determines whether the user's credentials are valid, and if so, returns success. The operating system then resumes control and completes the authentication and authorization process as usual.

IBM MFA for TOTP authentication method

The two methods of generating a hashed, timed one-time password (TOTP) are generic TOTP and IBM TouchToken for iOS.

If you configure a user's account for generic TOTP, the user can log in by using common Quick Response (QR) codes on both Android and Apple iOS devices. The user installs a QR code application such as IBM® Verify, Google Authenticator, or Duo Mobile on their device. The user then uses the generated timed one-time password (OTP) with their user name to log in.

For IBM TouchToken for iOS, the user uses the IBM TouchToken for iOS application on supported Apple devices to generate a hashed, timed one-time password (OTP), and then uses this password together with their user name to log in.

For both generic TOTP and IBM TouchToken for iOS, the OTP password must match the OTP password generated on the IBM MFA server. OTP passwords are regenerated at regular intervals.

TOTP requires:
  • Something you have: The Apple Touch ID device with the provisioned IBM TouchToken for iOS application, or a QR code application on an Android and Apple iOS device.
  • Something you are: Your fingerprint.

IBM MFA for Yubico OTP authentication method

The OTP password generated by the Yubikey token must match the OTP password generated by the IBM MFA for Yubico OTP component on the IBM MFA server. OTP passwords are generated when you trigger the Yubikey token.

IBM MFA for Yubico OTP requires:
  • Something you have: The hardware Yubikey token.
  • Something you know: IBM MFA for Yubico OTP should be used with another authentication method.

IBM MFA for IBM Security Access Manager authentication method

IBM MFA for IBM Security Access Manager requires:
  • Something you know: The IBM MFA for IBM Security Access Manager verification one-time password, if configured.
  • Something you know: The IBM MFA for IBM Security Access Manager user ID and password.