IBM MFA Out-of-Band concepts
IBM MFA Out-of-Band authentication requires you to authenticate "out-of-band" with one or more factors to retrieve an in-band authentication code called a "cache token credential." Your security administrator must specifically configure your account for IBM MFA Out-of-Band.
In IBM MFA Out-of-Band authentication, you authenticate "out-of-band" with one or more authentication factors configured by your security administrator. A user-specific IBM MFA Out-of-Band login page prompts you for all of the authentication factors you must provide.
You follow the same process and provide the same information as you would for these factors without IBM MFA Out-of-Band, except that you enter the tokens on the login web page and not in your z/OS application.
You connect to the URL provided by your administrator and log on with your RACF user name and password or passphrase. You are then presented with a list of authentication policies. Each policy defines the factors you must supply and whether the cache token credentials can be reused and for how long they can be reused. When you select an authentication policy, you are then presented with the list of factors required to satisfy the policy.
The important thing to note is that all configured authentication factors must succeed for you to receive the in-band authentication code. For example, if your account were to be configured for IBM MFA with SecurID and IBM TouchToken, both must succeed.
If successful, you receive a cache token credential (CTC) that you use to log in to the z/OS application.