Due to more strict PCI requirements we are exploring MFA accessing our HMCs. On z14 and below RSA is not support only TOTP. On z15 machines, and above you can use IBM MFA to verify credentials logging onto the HMC using RSA. I opened an issue and it seems that AAM does not currently support this. I've tried to describe the order of events below (not very much HMC documentation on it) the HMC uses IBM MFA, and RSA SecurID.
User must supply their current RSA SecurID passcode and their HMC user ID and logon password. Password validated at HMC then RSA SecurID passcode is sent to MFA on zOS. MFA then verifies from RSA SecurID.