The IBM MFA Factor AZFTOTP1 enrollment URL gives this error:

AZF5177E An internal server error prevented enrollment of your new TouchToken Account.

AZF#IN01 log shows:

AZFTOTP:Failed to set user factor data (sts=0,safrc=8,racfrc=12,racfrsn=0x4)
AZFTOTPWEB:AZF5160E Failed to commit a user's AZFTOTP1 factor data (ABCDE, safrc=8, racfrc=12, racfrsn=0x4)

Release : 16.0

Component :

The IBM MFA out-of-band Web Services Started Task AZFWEB logonid needs the logonid SECURITY privilege to be able to update TAGS fields in PROFILE(USER),DIV(MFA) records for all factors including AZFTOTP1, AZFCERT1 and AZFYUBI. 

Modify the AZFWEB started task as shown below:

ACF
SET LID
CHANGE AZFWEB SECURITY

There is an option to scope the SECURITY privilege as described in the IBM MFA Web services Started Task ID documentation.

PTF SO13978 is required for out-of-band support.