A third party can provide one or more X.509 certificates that can be used for authenticating a user. When stored on secure devices, X.509 certificates combine a secure setup with ease of use for the user (no user ID or password needed).
Upon connection, the client provides a selected certificate, and optionally a selected extension, which is used to authenticate the user ID with your security product.
Developer for System z will require additional customization, as described in Certificate validation and Certificate authentication. Also note that this authentication method is only supported by the RSE daemon connection method, and that SSL must be enabled.