Re: Free MFA for IBM i -- MIDRANGE-L

Subject: Re: Free MFA for IBM i
From: Justin Taylor <jtaylor.0ab@xxxxxxxxx>
Date: Tue, 8 Apr 2025 14:52:45 -0500
List-archive: <https://archive.midrange.com/midrange-l/>
List-post: <mailto:midrange-l@lists.midrange.com>
List-subscribe: <https://lists.midrange.com/mailman/listinfo/midrange-l>, <mailto:midrange-l-request@lists.midrange.com?subject=subscribe>
List-unsubscribe: <https://lists.midrange.com/mailman/options/midrange-l>, <mailto:midrange-l-request@lists.midrange.com?subject=unsubscribe>

It's good to hear that restricted state works. Of course, the next
question is how to handle MFA for QSECOFR? Best practice is for admins to
use their own accounts rather than QSECOFR, but you still have to have
QSECOFR. Do you leave QSECOFR unprotected (Lab Services recommendation
using the old product)? If you use MFA, where do you put the client
authenticator?

As for time changes (assuming you mean Daylight Savings Time), I assume
both sides will always use UTC.

On Tue, Apr 8, 2025 at 1:13 PM Rob Berendt <robertowenberendt@xxxxxxxxx>
wrote:

I have had it confirmed directly from the Gods Themselves that this will
work in restricted state. It is simply TOTP. Make sure that your time on
your IBM i is accurate (see using NTP) and it will match fine with your
TOTP device. No communication necessary. I had this same doubt. I have
been totally placated.

As an Amazon Associate we earn from qualifying purchases.

Follow-Ups:

Re: Free MFA for IBM i , Steve Pavlichek

This mailing list archive is Copyright 1997-2025 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.