Introduction to IBM MFA
IBM® Multi-Factor Authentication for z/OS®, which is referred to in this document as IBM MFA, provides alternate authentication mechanisms for z/OS networks that are used in conjunction with RSA SecurID-based authentication systems, Apple Touch ID devices, and certificate authentication options such as PIV/CAC cards. IBM MFA allows RACF to use alternate authentication mechanisms in place of the standard z/OS password.
The most common method for authenticating users to z/OS systems is by the use of passwords or password phrases. Unfortunately, passwords can present a relatively simple point of attack for exploitation. In order for systems that rely on passwords to be secure, they must enforce password controls and provide user education. Users tend to pick common passwords, write down passwords, and unintentionally install malware that can log passwords. Additionally, building an extremely powerful dedicated password cracking computer system has become trivial and low-cost. Clients are looking for ways to raise the assurance level of their systems by requiring additional authentication factors for users.
- TSO/E. Time Sharing Options (TSO/E) allows users to create an interactive session with the z/OS system. TSO provides a single-user logon capability and a basic command prompt interface to z/OS.
- CICS CESL. Customer Information Control System (CICS) is a family of application servers and connectors that provides industrial-strength, online transaction management and connectivity for mission-critical applications.
- z/OSMF. IBM z/OS Management Facility (z/OSMF) provides a web-based interface that allows you to manage various aspects of your z/OS systems through a browser.
- IBM OpenSSH. OpenSSH provides secure encryption for both remote login and file transfer.
Multi-factor authentication concepts
IBM MFA relies on multiple authentication factors.- RSA Authentication Manager concepts
The RSA Authentication Manager includes token codes, PINs, and passcodes as described in this section. - IBM TouchToken concepts
IBM MFA with IBM TouchToken includes an IBM TouchToken for iOS application and an IBM TouchToken one-time-password (OTP) as described in this section. - IBM MFA Out-of-Band concepts
IBM MFA Out-of-Band authentication requires you to authenticate "out-of-band" with one or more factors to retrieve an in-band authentication code called a "cache token credential." Your security administrator must specifically configure your account for IBM MFA Out-of-Band. - General logon approach
As a general rule, if you are presented with an in-band request for logon credentials, enter your IBM MFA credentials.