When setting up IBM MFA Out-of-Band authentication for the first time on an LPAR using ACF2, the following messages are seen in the IBM MFA started task error log:

AZF2406E R_factor error: safrc=8, racfrc=12, racfrsn=0x4 (Factor not defined) (Set user factor data, userid=userid, sts=0)
AZF4125W Failed to update user's CVALUE, replay protection inoperative
AZF8107E Failed to update AZFMETAS user data; brute-force protection inoperative

The factors are defined and MFA user profile records are defined for the users. Users are still able to authenticate despite these messages, but how could the messages be resolved?

The logonid for the IBM MFA Started Task that runs program AZF#IN00 needs to have the ACF2 SECURITY privilege. This is because the logonid needs access to make changes to MFA user profile records in the INFOSTG database which can only be accomplished in ACF2 by granting SECURITY access.