PWDRESET terminal-mode 2-Factor Authentication can be used also for user profiles specifying SPCENV(*S36).
The only difference with IBMi native user profiles is that with SPCENV(*S36) the user profile initial program must be slightly modified (see later in this page). The process to enable S/36 user profile to 2-Factor Authentication is the same as for IBMi native user profiles:

1. A security administrator must run command PWDRESET for the S/36 user profile, in order to enable it to the 2-F Authentication and to provide the user with a One Time Password (OTP).
   Parameter SPCENV(*S36) is removed from the user profile, because the PWDRESET 2-F Authentication programs must be run in IBM i native mode.and
2. Next, the user must logon with his user profile and the assigned OTP password and specify his new password.
3. Last, any time the user logs on with his user profile and his own password, he is requested to send, retrieve and enter a random numeric code assigned by his new initial program, PWDRESET/AUTH2FUSER.

The "small" problem
The "small" problem is that the user profile S/36 initial program (example: MYLIB/MYPGM ), instead of being started by the IBM i System/36 session manager, is now started by program PWDRESET/AUTH2FUSER with command STRS36 CURLIB(MYLIB) PRC(MYPGM).
Because of this, instead of being initiated within a predefined System/36 environment, the initial program is started in a System/36 environment with the job library list used for running program PWDRESET/AUTH2FUSER and with current library MYLIB.
This is why in most cases the user profile initial program MYLIB/MYPGM must be added some initial code to set up the correct job library list and current library.