MFA User Guide
This User Guide is for end users, who will use Multi-Function Authentication to connect to the organization's systems.
The MFA Administrator's Guide, which follows, documents how to set up and administer MFA systems, and is of less interest to end users.
Setting up your MFA Access
When you first log in to the IBM i via the green screen (5250) interface after MFA has been implemented, you may be prompted to enter further information about yourself (such as phone numbers or company ID) or private questions and answers to be used if you would need to reset your password.
The screen that you are presented should resemble this, although your organization may customize the fields on it:
| Initial Questions Number the fields that will be used for initial identification. Mark fields that are not used in your organization by F7 on field. A minus appears, and they are omitted from WEB interface. Use F10/F11 to scroll among the languages, F8 to change texts. Select Initial identification question in English ( ENG ) 1.00 * ID. Number 2.00 * Office phone Birthday Cell phone Email address Employee number Family name First name Default User ID. Bottom F3=Exit F7=Remove F8=Change Text F10=Prv. lang. F11=Next lang. F12=Cancel |
Once you have entered this information, you can continue to log in as before.
Soon afterward, you will receive an email containing the QR code and emergency codes for use with MFA, encrypted for security.
You will need to set up an authenticator app or device to use in MFA. MFA can work with, for example, Google Authenticator, Microsoft Authenticator, Authy, YubiKey, or the built-in iOS and MacOS authenticators. Adding your account to each involves a simple process, though there are slight differences between then. Instructions for the Microsoft Authenticator, for example, are online at https://support.microsoft.com/en-us/account-billing/add-your-work-or-school-account-to-the-microsoft-authenticator-app-43a73ab5-b4e8-446d-9e54-2a4cb8e4e93c
Print your emergency codes and store them someplace secure.
Logging In with MFA
Once you have been set up with MFA and established a connection for it to an Authenticator, the Sign On screen for the IBM i includes an additional field, MFA Token, below the Password field.
Sign On
System . . . . . : RLDEV
Subsystem . . . . : QINTER5
Display . . . . . : EVG02
User . . . . . . . . . . . . . .
Password . . . . . . . . . . . .
MFA Token . . . . . . . . . . . .
Program/procedure . . . . . . . .
Menu . . . . . . . . . . . . . .
Current library . . . . . . . . .
COPYRIGHT IBM CORP. 1980, 2018.
To sign in, enter your Username and Password as before. Open your Authenticator app or device and enter the six-digit code shown for your system in the MFA Token field.
NOTE: The value shown in the Authenticator changes every thirty seconds. If you see an error upon entering the value into the MFA Token field, there's a chance that it may have changed before you finished entering it. Check the Authenticator again and enter the new value.
Once you are authenticated, you can access the systems and exit points for which you have been authorized within the organization without further authentication for a predetermined amount of time.
Connecting to other Services with MFA
If you open a different connection to a system via FTP, ODBC, or other exit points, and are not currently authorized, the system sends you an email to confirm the connection.
The email may contain a link to click, which will confirm that you have initiated the connection. It may also require that you confirm the connection by entering the current six-digit code from your Authenticator or an emergency code.