If a usercode is configured to require a second authentication factor, the second authentication factor must be provided during logon to verify the identity of the user. The authentication factor might use a push or pull method, depending on your configuration of MFA. A push factor provides a user with the ability to approve or deny an access request. A pull factor provides a user with a one-time passcode (OTP) that must be entered to complete log-on. Depending on your needs, you can use the EMAIL utility to configure a pull factor for MFA or use the third-party security platform Duo Security to configure either a push or pull factor.
The following option and usercode attribute settings determine if two-factor authentication is required:
-
The SECOPT system command MFA security option is enabled
-
MFAREQUIRED usercode attribute is set
-
MFAPROTOCOL usercode attribute is set to a valid protocol
The valid protocols for MFAPROTOCOL are
-
EMAIL
Requires any MFA capable user attempting to authenticate to enter a passcode that is sent to the email address associated with the usercode that attempts to authenticate.
Note: For MFA configurations using the EMAIL utility, MFAPROTOCOL must be set to EMAIL. The EMAIL usercode attribute must be set to a valid email address, and the EMAIL utility must be installed. For more information about the EMAIL utility, refer to the System Software Utilities Operations Reference Manual. -
DUOPUSH
Sends a push notification to the mobile device of any MFA capable user attempting to authenticate. The two options are allow or deny.
-
DUOPHONE
Initiates an automated call to the mobile device of any MFA capable user attempting to authenticate. The user is prompted to press any key to authenticate.
-
DUOPULL
Requires any MFA capable user attempting to authenticate to enter a passcode that is generated from the Duo Security application.
Note: The protocols DUOPUSH, DUOPHONE, and DUOPULL are only valid for MFA configurations using the third-party security platform Duo Security. -
Once the usercode, accesscode, and chargecode are validated, the user must authenticate using the protocol specified for MFAPROTOCOL. For example, if MFAPROTOCOL is set to EMAIL, the user must enter the passcode that they receive at the email address associated with their usercode in MARC or CANDE. Once the two-factor authentication is complete, the user is logged on. If two-factor authentication is required during a MARC logon, it is skipped when the station is transferred to CANDE.
