Defining General MFA Parameters
To define general parameters for MFA, select 81. System Configuration from the main Multi-Factor Authentication (MFA) menu (STRMFA). The System Configuration screen appears:
| ODPARMR System Configuration 5/09/23 11:14:18 Authority On Demand SIEM Support 1. Global Parameters 70. Main Control-----> Active 2. Defaults 71. SIEM 1: N 3. Session End Activity 72. SIEM 2: N 4. Attachment setup 73. SIEM 3: N 6. Reason Structure 75. SNMP Definitions 8. Emergency rules 9. Log Retention Person Based Products General 51. P-R Password-Reset 91. Language Support 52. MFA Multi-Factor Authentication 95. Multi-System Setting 53. U-P User-Provisioning 58. Self-Enrollment Control 99. Copyright Notice 59. Web Implementation Selection ===> Release ID . . . . . . . . . . . . . . 06.28 23-08-28 788C500 41A EP10 2 Authorization code . . . . . . . . . . O02309689155 26 2 RLDEV F3=Exit F22=Enter Authorization Code |
Select 52. MFA Multi-Factor Authentication from the Person Based Products section of the System Configuration screen. The Multi-Factor-Authentication screens appear. Use the PgUp and PgDn keys to move among them.
| Multi-Factor-Authentication iSecurity/MFA The following entries are considered locally even in a multi-system setting Skip MFA if error in person definition Y Y=Yes, N=No Skip MFA for same person/IP if within. 3 1-1440 minutes Maximum wait time for entry . . . . . 5 3-90 minutes For MFA & AOD Maximum TOTP attempts . . . . . . . . 3 1-9 Maximum number of Emergency tokens . . 6 0-10 Time-based One-time Password (TOTP) can be replaces by Emergency tokens One Time Password (OTP) length . . . . 6 4, 6, 8 or 10 characters Default for allow OTP instead of TOTP. N Y=Yes, N=No Protect TCP services FTPSRV/REXEC. N File Server . . N Y=Yes, N=No Used in TCP Enablement FTP Client. . N Remote Pgm/Cmd. N and in MFA check TCP Signon. . N DDM/DRDA . . . N ODBC . . . . N FileServer max time to consider safe . 3 1-1440 minutes No MFA: User A123 B123 C123 or Device DSP02 Adjustments for MFA usages, including filters, can be set by user program SMZODTA/MFADJUST. See explanations and example in SMZO/ODSOURCE MFADJUST More... F3=Exit |
| Multi-Factor-Authentication iSecurity/MFA Web server URL E.g http://1.1.1.10:8080/pr , pr is the web application name http:// Raz-Lee APP URL E.g http://1.1.1.20:8001 or *LOCALHOST http:// Bottom F3=Exit F12=Previous |
The body of the screen includes the following fields:
Skip MFA if error in person definition
If MFA encounters an error in a Person definition, You can skip authentication to let the user sign on without problems.
We log this information, so that you can review the MFA history in STRMFA > 45 Display History, or run a scheduled job using the job scheduler STRMFA > 42 Work with Report Scheduler, which contains a report of errors.
Skip MFA for same person/IP if within
Do not request authentication again if the same person, connecting from the same IP address, has been authenticated within the given number of minutes. The value may be from 10 to 1440. If it is set to 999, the system does not recheck connections from that user and IP if they have already been authenticated.
NOTE: When MFA is skipped based on this setting, all user profiles associated with the same person are allowed to sign on without MFA. Access will be granted only if it is coming from the same IP address.
Maximum wait time for entry
The number of minutes that the system waits for the user to respond after it sends a verification code. If that time is exceeded, the verification attempt fails. The value may be from 3 to 15. This item also affects Authority on Demand.
Maximum TOTP attempts
The maximum number of times that a person can try to enter TOTP codes before the connection is rejected. This can be between 0 and 9. If set to zero, the connection is rejected immediately if the person enters an incorrect value.
Maximum number of Emergency tokens
The maximum number of token codes generated when MFA is set up for a person.
One Time Password (OTP) length
The length of the verification code that is sent to the user. The value may be 4, 6, 8, or 10 (so that a code may be split evenly when sent to a combination of the user's cell phone and email).
Default for allow OTP instead of TOTP
To activate the default for OTP instead of TOTP, set its field to Y.
Protect TCP Services
Services that MFA can protect. To activate MFA for the service, set its field to Y.
FileServer max time to consider safe
The maximum amount of time that a file server session can remain active before requiring re-authentication. This can be between 1 and 1440 minutes.
No MFA
User profiles or device that should be excluded from MFA, regardless of the settings within MFA.
MFADJUST
MFA enables the programmatically select which users should be requested to pass the self-enrolments. It can also decide if MFA is required or not. This is done by use of an exit program that can modify the parameters of the GETMFA command. Find an explanation by the following link: User Exit Program for the GETMFA, ENROLL commands.
Web server URL
The URL at which the person enters MFA codes.
Raz-Lee APP URL