Frank Swarbrick wrote: >I have a curious question about MFA on z/OS. Does each login >require a different token? Meaning, if I log on to TSO and to CICS, >can I use the same token? I ask because I log on and off to >various CICS regions throughout the day, and I'd hate to have to >get a new token for each login. (We don't use MFA right now, >except for our mainframe "outsourcer" teams (Kyndryl).
That’s configurable based on what security posture you’re trying to maintain. The token can be one-time (and time limited) or can be reused (and still time limited). The time limit is configurable, too. >I wish that you could just "logon to VTAM," as it were, and it would >log you in to each VTAM application you use. I don't think this is >available right now, correct me if I'm wrong! Yes, you can do that with a combination of CL/SUPERSESSION, Z MFA, and PassTickets. Other combinations may be possible, but that’s the typical IBM combination. The entry point to the documentation is here: https://www.ibm.com/docs/en/zma/2.3.0?topic=customization-clsupersession-zos ————— Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM Z/LinuxONE, Asia-Pacific [email protected] ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
