====== Using Multi-factor Authentication with TSM/ISP======
This HowTo only covers the use of the //[[https://www.ibm.com/products/verify-identity|IBM Security Verify]]// app and respectively for the required QR code the generator from [[https://freeotp.github.io/qrcode.html|FreeOTP]], other TOTP apps and QR generators will work similarly.
====== Preparation ======
===== Creating a QR code using FreeOTP.github.io =====
* Go to the URL https://freeotp.github.io/qrcode.html
{{ :en:services:storage_services:backup:tsm:admin:freeotp.png?600 |}}
* Adjust the necessary inputs:
* Issuer (optional) => //GWDG / TSM// (or whatever).
* Account => name of the admin account in TSM, e.g. //tbnachtw//
* change algorithm //SHA256// to //SHA1//
* Change selection //counter// to //timeout//
* Keep the already correct settings
* //Digits// remains at //6//
* //timeout// of //30s// remains
* no check at //Lock//
* The QR code changes :-)
{{ :en:services:storage_services:backup:tsm:admin:freeotp_4_tsm.png?600 |}}
===== Create admin accounts with MFA / enable MFA for admin accountsr =====
Use the //base32string// next to the //Random// button as //Shared Secret// when creating / changing the TSM admin account:
REGister Admin [other options] MFARequired=Yes SHAREDSecret=
respectively
UPDate Admin MFARequired=Yes SHAREDSecret=
===== setting up the TOTP app =====
* Create a profile in the TOTP app (e.g. using //IBM Security Verify// as an example)
* import QR code into TOTP app
===== Logon with MFA =====
When logging in as admin, the admin CLI still asks for username and password, but with MFA the latter consists of two parts: the admin password + the 6-number TOTP token, so e.g.
for the combination of
* //user name// ''Admin'',
* //password// ''Admin4TSM'' and
* //on time MFA token// ''238 291''
the ont-time MFA password is ''Admin4TSM238291''
====== Acknowledgment ======
Thanks to [[mailto:bruno.friess@exstor.de| Bruno Friess / Exstor]] for his introduction to the topic at GSE meetings and at the GWDG TSM JourFixe.