MFA: displaying information

Other posts on MFA:

• Multi Factor Authentication(MFA): Planning.
• MFA: installation and configuration
• MFA: Configuring a userid
• MFA: displaying information
• MFA: configuring Timed One Time Password (TOTP)
• MFA: Using a password
• MFA configuring a policy for out of band authentication
• MFA: configuring Yubikey
• MFA: setting up Linux as an authenticator to generate a TOTP password
• MFA: messages

Some MFA information is stored in a user profile, some information is stored as MFADEF profiles, and some information (such as private keys) is stored in ISCF under a token.

Some information is stored in RACF but is not displayable by RACF command. For example the STC configuration information.

Display user specific information

You can use the LISTUSER userid MFA command to display userid information. For example

TSO LU YUBI14 MFA

gave

 ...
MULTIFACTOR AUTHENTICATION INFORMATION:
 ---------------------------------------
   PASSWORD FALLBACK IS NOT ALLOWED
   AUTHENTICATION POLICIES =
     OOBCERT
     OOBYUBI
   FACTOR = AZFYUBI1
     STATUS = ACTIVE
     FACTOR TAGS =
       REGSTATE:CONFIRMED
       SERIAL:26146720
       PUBNAME:vvhvjcrlelce
       PRIVID:T4ZfCmaz8bbOdfv...
       SECRET:WdxFUpQA9uWq...
       CREATED:2024-01-23T14:28:08
       MODIFIED:1706025957
       YKCTR:1
       YKUSE:4
       YKTSL:1619
       YKTSH:175

Note: LU YUBI12 MFA NORACF does not work. It gave me ICH30012I NO USER(S) LISTED. NORACF SPECIFIED AND NO OTHER SEGMENTS REQUESTED.

Display MFA configuration information

Some information is available using the RACF RLIST command. Other information is not displayed.

You can list all of the profiles using

tso search class(MFADEF)

This gave me

FACTOR.AZFCERT1
FACTOR.AZFSTC
FACTOR.AZFTOTP1
FACTOR.AZFUSER1
FACTOR.AZFYUBI1
POLICY.OOBCERT
POLICY.OOBYUBI
POLICY.YUBIPOL

You can display a specific profile using

rlist mfadef POLICY.OOBYUBI NORACF MFPOLICY

this gave me

CLASS      NAME
-----      ----
MFADEF     POLICY.OOBYUBI
 
MFPOLICY INFORMATION
--------------------
FACTORS = AZFCERT1 AZFYUBI1
TOKEN TIMEOUT = 00000060
REUSE = NO

tso rlist mfadef FACTOR.AZFYUBI1 mfa NORACF

gave me

CLASS      NAME
-----      ----
MFADEF     FACTOR.AZFYUBI1
MFA INFORMATION
---------------
MFADATA is defined.

So there maybe information – but it is not displayable.