Where the Mainframe is concerned the Federal Government uses a PIV and IBM MFA that Creates a one-time password that has a VERY short time to use it
-----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Seymour J Metz Sent: Monday, June 23, 2025 8:01 AM To: [email protected] Subject: Re: MFA and scripting The IRS uses a card and a PIN. Some Applications, e.g., TSO via InfoConnect, support MFA directly, while others require a one-time passticket (OTT). There seems to be an MFA issue for nonstandard screen sizes. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 עַם יִשְׂרָאֵל חַי נֵ֣צַח יִשְׂרָאֵ֔ל לֹ֥א יְשַׁקֵּ֖ר ________________________________________ From: IBM Mainframe Discussion List <[email protected]> on behalf of Colin Paice <[email protected]> Sent: Monday, June 23, 2025 5:10 AM To: [email protected] <[email protected]> Subject: MFA and scripting External Message: Use Caution MFA is getting to be more of a requirement. How do people handle MFA when scripting from Windows and Linux? The basic rules are something you know, and something you have - which makes it hard for scripts as there is no person to type things in. We can do certificate logon which avoids a password - but what other factor can we use? If your password is encrypted ( or masked) on your laptop, then bad guys with access to your machine can steal both your password and your certificate, so this doesn't count. All I can think of is to have a hardware dongle like a Yubicon USB device plugged into the laptop. You could have networking rules - if from these IP addresses (internal to your site) then do something special - otherwise require full MFA. But I dont think we have the systems on z/OS to support this - for example z/OS TCPIP going to Liberty on z/OS. Any thoughts? Colin ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
