Implementing IBM MFA out-of-band authentication.  Once an MFA approved and activated userid gets a logon token and pastes it into the TSO logon password field gets  "Invalid password" message. 

Need to activate IBM MFA globally using the TSS MFA option:

MFA(IBMRSA(factor_activation,FALLBACK))

Need to enable MFA(IBMRSA(FACILITY)).

2 questions:

1. Is it necessary to enable the TSS MFA option for MFA to work or can MFA be enabled on an individual userid basis

2. If the MFA(IBMRSA(FACILITY)) option is required, will this affect all users.  Do not want to enable a global option that will break regular password logons.

Release : 16.0

Component : CA Top Secret for z/OS

For question 1:

"Is it necessary to enable the TSS MFA option for MFA to work or can MFA be enabled on an individual user basis?"

Answer:

Yes and yes!

It is necessary to set the TSS control option MFA(IBMRSA...)  to activate IBM MFA; and it is also necessary to have a MFA segment defined to the userid

Without the TSS control option MFA being activated, all logons will be treated as non-MFA events. 

For question 2:

2. "If the MFA(IBMRSA(FACILITY)) option is required, will this affect all users?   Do not want to enable a global option that will break regular password logons."

Answer:

No!

The user would require the MFA segment defined with MFACTIVE(YES) or MFACTIVE(FACILITY).

With FACILITY, the user would also need the CASECMFA permit to entity (TSSMFA.IBM.tssfacility).

In your case, you have MFACTIVE(YES) so no addition permit is needed.

All you need to do is turn on the MFA global control option. 

TSS MODI MFA(IBMRSA(FACILITY)) 

Setting to IBMRSA(YES) will work as well, but user would still need MFA segment defined.