This HowTo only covers the use of the IBM Security Verify app and respectively for the required QR code the generator from FreeOTP, other TOTP apps and QR generators will work similarly.
Use the base32string next to the Random button as Shared Secret when creating / changing the TSM admin account:
REGister Admin <NAME> <password> [other options] MFARequired=Yes SHAREDSecret=<base32string>
respectively
UPDate Admin <Name> MFARequired=Yes SHAREDSecret=<base32string>
When logging in as admin, the admin CLI still asks for username and password, but with MFA the latter consists of two parts: the admin password + the 6-number TOTP token, so e.g. for the combination of
Admin
, Admin4TSM
and 238 291
the ont-time MFA password is Admin4TSM238291
Thanks to Bruno Friess / Exstor for his introduction to the topic at GSE meetings and at the GWDG TSM JourFixe.