IBM i Global

 View Only

 How to detect if MFA is enabled on an IBM i system

Joe Fio's profile image
Joe Fio posted Mon May 19, 2025 10:18 AM

Edit: Reposted to the following link as a "discussion" so I can reply to your responses: https://community.ibm.com/community/user/discussion/how-to-detect-if-mfa-is-enabled-on-an-ibm-i-system

Edit 2: I tried Marc's suggestion but if I run SQL against QSYS2.SECURITY_INFO on our V7R6 environment I get an Error: [SQL0443] *AUDIT OR *SECADM SPECIAL AUTHORITY REQUIRED. 

IBM’s documentation mentions an “Additional sign-on factor security attribute” that can be used to determine if MFA is enabled, and if sign on prompts should include an Additional Factor field: Additional sign-on factor security attribute

Ibm remove preview
Additional sign-on factor security attribute
The Additional sign-on factor security attribute indicates if MFA is enabled on your system.

Another section talks about exposing an "Additional Factor" input field if applications determine the Additional sign-on factor security attribute is enabled: 

With i Access Client Solutions 5250 emulator if I attempt to sign on to a system with MFA enabled, ACS will prompt me for my username, password, and an "Additional factor" token. 

If I attempt to sign on to a non-MFA system it only displays the username and password fields

I have a Windows application that interfaces with IBM i systems. I would like the sign on screen to work the same way as described in IBM's documentation and as seen with iACS. The problem is that the “Additional sign-on factor security attribute” is not publicly accessible, so it's unclear how an application would determine the value of this attribute prior to sign on. In my case, even if I manually sign on to a 5250 session and run DSPSECA I do not have authorities to view this attribute. 

How do I determine whether or not MFA is enabled on an IBM i system, particularly in the case where a user has not yet authenticated? 
Marc Rauzier's profile image
Marc Rauzier posted Mon May 19, 2025 11:26 AM

What about running an SQL against QSYS2.SECURITY_INFO (https://www.ibm.com/docs/en/i/7.6.0?topic=mfa-additional-sign-factor-security-attribute and https://www.ibm.com/docs/en/i/7.6.0?topic=ssw_ibm_i_76/cl/dspseca.html)?

On PUB400 (V7R5) as a non admin user:

-----

                            Display Object Authority                            
                                                                                
 Object . . . . . . . :   DSPSECA         Owner  . . . . . . . :   QSYS         
   Library  . . . . . :     QSYS          Primary group  . . . :   *NONE        
 Object type  . . . . :   *CMD            ASP device . . . . . :   *SYSBAS      
                                                                                
 Object secured by authorization list  . . . . . . . . . . . . :   *NONE        
                                                                                
                          Object                                                
 User        Group       Authority                                              
 *PUBLIC                 *USE                                                   

-----

If running "select * from qsys2.security_info", I can see their values. So it looks like it does not require any specific authority.

Amneris Fátima Teruel's profile image
Amneris Fátima Teruel posted Wed May 21, 2025 10:47 AM

Hi Joe!

I dont know the answer to your question and I understand your need, BUT from a security perspective, why should the IBM i inform if it has MFA enabled when the user has not even tried to login? Why should it do that? why expose that important security configuration?

The same way you cannot view the security atributes once you are inside the system, even less when you are not yet authenticated.

What do you think?

Amneris

Related Content