Testing out IBM's MFA V2.0 on ACF2 R16.  After PTF SO13978 installed it fails.  After the  ACF2 admin mark the userid for re-register, it fails.  
The manual states:

1. If the user needs to start the enroll process over again, the tags will need to be reset for the user:
2. SET PROFILE(USER),DIV(MFA)

CHANGE userid.AZFCERT1 NOACTIVE TAGS() REP

ACF
SET PROFILE(USER) DIVISION(MFA)
CHANGE userid.AZFCERT1 TAGS(REGSTATE:OPEN)

Using the same JCL to reset the MFA segment for the last few times that was used to reset it for testing.

The MFA web log shows
20200722115920.338692 MFAWEB:serveCertEnrollGet going to serve html/azfcert1.html
20200722115953.819751 MFAWEB:saf verify returned sts: 0, rc: 0, rsn: 0x0
20200722115953.819818 MFAWEB:msg: ACF01137 USER01 LAST SYSTEM ACCESS 11.16-07/22/20 FROM STCINRDR
20200722115953.826055 AZFCERT1:Error setting AZFCERT1 factor data (sts=0,safrc=8,racfrc=12,racfrsn=0x4)
20200722115953.826130 MFAWEB:serveCertEnrollPost: certuser_commitToRACF failed (sts=0,safrc=8,racfrc=12,racfrsn=0x4)

Release : 16.0

Component : CA ACF2 for z/OS

PTF SO13978 changed the way the PROFILE(USER),DIV(MFA) record is updated for the user. Now the AZFWEB started task needs SECURITY privilege to update PROFILE(USER),DIV(MFA) records.