We have a group of users who can only have physical key-token instead of soft-token (app on the cellphone). In this case, they are required to enter pin (4 digits) + token (6 digits) when logon to TSO. As password field allows only 8 characters in the TSO logon screen, how should these users enter their pin + token to logon to TSO using Advanced Authentication for Mainframe, aka MFA?

Release: TOPSEC00200-16.0-Top Secret-Security
Component:

The following information is at the link below:

Sign On when using RSA SecurID

Important! For CA Advanced Authentication Mainframe signons to be successful, the application that is performing the signon validation must support password phrases or support areas for entering an old password and new password. Follow these steps: Perform the following verifications before signing on: Ensure that the IBM RACF userid is defined to the RSA server and a SecurID token has been assigned. Ensure that the user is defined with the correct MFA userid segment. Sign on by entering the RSA passcode in the password phrase area or by using the password and new password fields: Password Phrase Method If the application supports password phrases, the RSA passcode can be entered in the password phrase area of the application logon screen. Password + New Password Method The password and new password fields can be used to enter the RSA passcode. For IBM RACF, the software token is entered in the password field, and the PIN (if any) is entered in the new password field. Note: Many applications require you to enter the new password twice for verification. The application does not know whether the new password is really just a new password or part of an RSA passcode. So, you might need to enter the new password portion of the RSA passcode twice.