This HowTo only covers the use of the IBM Security Verify app and respectively for the required QR code the generator from FreeOTP, other TOTP apps and QR generators will work similarly.

• Go to the URL https://freeotp.github.io/qrcode.html

• Adjust the necessary inputs:
  • Issuer (optional) ⇒ GWDG / TSM (or whatever).
  • Account ⇒ name of the admin account in TSM, e.g. tbnachtw
  • change algorithm SHA256 to SHA1
  • Change selection counter to timeout
• Keep the already correct settings
  • Digits remains at 6
  • timeout of 30s remains
  • no check at Lock
• The QR code changes

Use the base32string next to the Random button as Shared Secret when creating / changing the TSM admin account:

REGister Admin <NAME> <password> [other options] MFARequired=Yes SHAREDSecret=<base32string> 

respectively

UPDate Admin <Name> MFARequired=Yes SHAREDSecret=<base32string> 

• Create a profile in the TOTP app (e.g. using IBM Security Verify as an example)
  • import QR code into TOTP app

When logging in as admin, the admin CLI still asks for username and password, but with MFA the latter consists of two parts: the admin password + the 6-number TOTP token, so e.g. for the combination of

• user name Admin,
• password Admin4TSM and
• on time MFA token 238 291

the ont-time MFA password is Admin4TSM238291

Thanks to Bruno Friess / Exstor for his introduction to the topic at GSE meetings and at the GWDG TSM JourFixe.