IBM's documentation mentions an "Additional sign-on factor security attribute" that can be used to determine if MFA is enabled, and if sign on prompts should include an Additional Factor field: https://www.ibm.com/docs/en/i/7.6.0?topic=mfa-additional-sign-factor-security-attribute

Another section talks about exposing an "Additional Factor" input field if applications determine the Additional sign-on factor security attribute is enabled: 

With i Access Client Solutions 5250 emulator if I attempt to sign on to a system with MFA enabled, ACS will prompt me for my username, password, and an "Additional factor" token

If I attempt to sign on to a non-MFA system it only displays the username and password fields

I have a Windows application that interfaces with IBM i systems. I would like the sign on screen to work the same way as described in IBM's documentation and as seen with iACS. The problem is that the "Additional sign-on factor security attribute" is not publicly accessible, so it's unclear how an application would determine the value of this attribute prior to sign on. In my case, even if I manually sign on to a 5250 session and run DSPSECA I do not have authorities to view this attribute. 

How do I determine whether or not MFA is enabled on an IBM i system, particularly in the case where a user has not yet authenticated? 

Going by some of your earlier discussion on a related thread, something is going to have to use appropriate authority to determine this.  Adoption, profile swapping, etc.

Once you get past that you will have to remember that there are system switches, and individual profile switches.  It's possible to enable your system for MFA but have several users who do not require it.  For example production workers with extremely limited authority may not have MFA turned on to avoid dealing with smartphones and other TOTP devices.  So your best bet is to 'assume' the system switch is on and just check the user profile for the appropriate column.

IBM's documentation mentions an "Additional sign-on factor security attribute" that can be used to determine if MFA is enabled, and if sign on prompts should include an Additional Factor field: https://www.ibm.com/docs/en/i/7.6.0?topic=mfa-additional-sign-factor-security-attribute

Another section talks about exposing an "Additional Factor" input field if applications determine the Additional sign-on factor security attribute is enabled: 

With i Access Client Solutions 5250 emulator if I attempt to sign on to a system with MFA enabled, ACS will prompt me for my username, password, and an "Additional factor" token

If I attempt to sign on to a non-MFA system it only displays the username and password fields

I have a Windows application that interfaces with IBM i systems. I would like the sign on screen to work the same way as described in IBM's documentation and as seen with iACS. The problem is that the "Additional sign-on factor security attribute" is not publicly accessible, so it's unclear how an application would determine the value of this attribute prior to sign on. In my case, even if I manually sign on to a 5250 session and run DSPSECA I do not have authorities to view this attribute. 

How do I determine whether or not MFA is enabled on an IBM i system, particularly in the case where a user has not yet authenticated? 

Why not just display it all the time with your Windows app?

Why would your Windows app even need a custom screen to prompt for user id, password and additional factor?  Doesn't this open up an app to spoof a sign in screen and start farming security credentials?

------------------------------
Robert Berendt IBMChampion
Business Systems Analyst, Lead
Dekko
Fort Wayne

Original Message:
Sent: Mon May 19, 2025 04:06 PM
From: Robert Berendt
Subject: How to detect if MFA is enabled on an IBM i system

Going by some of your earlier discussion on a related thread, something is going to have to use appropriate authority to determine this.  Adoption, profile swapping, etc.

Once you get past that you will have to remember that there are system switches, and individual profile switches.  It's possible to enable your system for MFA but have several users who do not require it.  For example production workers with extremely limited authority may not have MFA turned on to avoid dealing with smartphones and other TOTP devices.  So your best bet is to 'assume' the system switch is on and just check the user profile for the appropriate column.

------------------------------
Robert Berendt IBMChampion
Business Systems Analyst, Lead
Dekko
Fort Wayne

Original Message:
Sent: Mon May 19, 2025 01:02 PM
From: Joe Fio
Subject: How to detect if MFA is enabled on an IBM i system

IBM's documentation mentions an "Additional sign-on factor security attribute" that can be used to determine if MFA is enabled, and if sign on prompts should include an Additional Factor field: https://www.ibm.com/docs/en/i/7.6.0?topic=mfa-additional-sign-factor-security-attribute

Another section talks about exposing an "Additional Factor" input field if applications determine the Additional sign-on factor security attribute is enabled: 

With i Access Client Solutions 5250 emulator if I attempt to sign on to a system with MFA enabled, ACS will prompt me for my username, password, and an "Additional factor" token

If I attempt to sign on to a non-MFA system it only displays the username and password fields

I have a Windows application that interfaces with IBM i systems. I would like the sign on screen to work the same way as described in IBM's documentation and as seen with iACS. The problem is that the "Additional sign-on factor security attribute" is not publicly accessible, so it's unclear how an application would determine the value of this attribute prior to sign on. In my case, even if I manually sign on to a 5250 session and run DSPSECA I do not have authorities to view this attribute. 

How do I determine whether or not MFA is enabled on an IBM i system, particularly in the case where a user has not yet authenticated? 

------------------------------
Joe Fio
------------------------------