IBM/db2forzosdeveloperextension-about

Add support for MFA and Yubikey

Opened this issue · 1 comments

lydiawoodson commented

Add support for MFA and Yubikey

The detail for setting up MFA and Yubikey can be found here:
https://www.ibm.com/docs/en/zma/2.0?topic=yubikey-configure-mfa-compound-in-band#azf_yub_compound_provision_users

IDz uses DB2z Extensions for the DB2z Connections.

A specific IDz customer uses MFA with Yubikey for their authentication.
Currently, neither IDz nor DB2z Extensions support it.

Two things to note that this customer has done and would need to be accounted for in this RFE:

  1. Yubikey allows for a change in the order of the password and token. They have reversed it so that it is password and token.
  2. The token, password separator can be any of the characters listed in the URL above. They use %.

This customer has set up to use the password with an MFA token attached to it, separated with a %.
It ends up being TSO_password%#### where #### is the 4 digit yubikey token.

If they add this as "password" (not "MFA token") and use the override, the test connection works.
The token does expire after a certain amount of time so they can't save their password combo.
If the token expires, the error they get for the connection is: userid or password invalid.

And, interestingly, looking at some CICS Explorer doc for another problem, I see they do use this method…so it is valid for other products:
When you make a CMCI connection, you are prompted to specify a password or passphrase. In the Password or Passphrase field, you must specify your password or passphrase coupled with an authentication token.
Ask your system administrator how to concatenate your password or passphrase and the authentication token.
https://www.ibm.com/docs/en/cics-explorer/5.4.0?topic=wcsc-multi-factor-authentication-mfa-credentials-cics-explorer-connections

jwflicker commented

At this time i believe the MFA feature forwards the password and mfa token as `mypassword:mytoken' with the password on the left, token on the right, separated by a colon character. The left/right positioning and the separator character of the MFA Authentication behavior can not be customized at this time.
FYI: xiaoshir@us.ibm.com