Security

IBM Multi-Factor Authentication – Increasing assurance for a secured infrastructure

Share this post:

There are many complex facets of computer security, but some of the most basic safeguards are also the most common avenues that criminals use to gain access to people’s systems. Many reported breaches are directly caused by weak, default, and stolen passwords. These breaches are costly both to an organization’s bottom line and to their reputation. One of the most important measures we can take is to ensure that the users of our systems are authenticated with high assurance. Relying on passwords to protect mission-critical systems is no longer the only option.

The problem with passwords

The security of our systems often comes down to our ability to select a strong password. But, it turns out that many of us have poor password habits. It can be frustrating on to be greeted with a “password expired message” on a Monday morning, when we just need to log on and get work done. Then we’re asked to choose a long, strong, unique password and remember it. Faced with this challenge, we often take shortcuts and use our favorite sports team, our pet’s name, or a pattern on the keyboard. Once we come up with a password, we often write it down or end up reusing it on other systems. Combine these poor password habits with malware, keyboard logging software, and offline password database cracking, and it’s easy to see why protecting systems with only passwords is falling out of favor.

Multi-Factor Authentication

One way to mitigate many inherent issues with passwords is to use multi-factor authentication (MFA). A system that uses MFA requires that users provide two different authentication factor types. Each type must be from a separate authentication factor category, when authenticating to the system. The authentication factor categories are:

  • Something you know (such as a password or PIN code)
  • Something you have (such as an ID badge or cryptographic token device)
  • Something you are (such as a fingerprint or retinal scan)

Systems that require MFA are resistant to many of the attacks that target passwords. Accounts cannot be compromised, even if someone has captured one of the authentication factors. If your cryptographic token is stolen, the PIN code must also be compromised to gain access to your account. If your password is recorded by a malware infected PC, a token device is still required to log on. The extra authentication assurance provided by MFA can be the difference between a secure system and a compromised one.

IBM Multi-Factor Authentication for z/OS

IBM Multi-Factor Authentication for z/OS is a new product that works together with RACF. Once IBM MFA is installed and configured, the security administrator can use RACF commands to provision z/OS users to require MFA authentication at log-on. Once provisioned for MFA, users are required to provide multiple factors when authenticating to z/OS applications. When these users log on to z/OS applications, RACF detects that the user requires MFA authentication and calls the IBM MFA product. Additionally, RACF logs the MFA authentication event to SMF.

Most z/OS applications that authenticate users with SAF interfaces do not need to be updated to use MFA. They simply continue to prompt users for a user ID and authenticator and pass it to SAF/RACF. An application bypass option is provided to support authentication with the RACF password for applications that cannot yet support MFA. IBM MFA also has support for session managers or other similar applications, which authenticate users with a PassTicket. For recovery scenarios, RACF offers an MFA Password Fallback option which can allow MFA users to authenticate with their password when MFA processing becomes unavailable.

Starting with z/OS V2R1 with required PTFs, IBM MFA and the RACF MFA infrastructure are available with support for RSA SecurID hard and soft tokens, IBM TouchToken and PIV/CAC /Certificate based Smart Card authentication with RACF password.

Click here to learn more about IBM MFA.

More Security stories

IBM z15 sets a new cloud security standard

Encryption, Mainframes, Multicloud

From time to time, we invite industry thought leaders to share their opinions and insights on current technology trends to the IBM Systems IT Infrastructure blog. The opinions in these posts are their own, and do not necessarily reflect the views of IBM. On September 12, 2019, in New York City, IBM set a new ...read more


Cognition Foundry lights a fire under startups by giving them access to enterprise technology

Data security, LinuxONE solutions, Modern data platforms

From time to time, we invite industry thought leaders to share their opinions and insights on current technology trends to the IT Infrastructure blog. The opinions in these blogs are their own, and do not necessarily reflect the views of IBM. An idea is only an idea until someone believes in it. A groundbreaking vision ...read more


IBM is recognized as a “Leader” in 2019 Gartner Magic Quadrant for Data Center Backup and Recovery Solutions

Cloud object storage, Data security, Storage

IBM has been recognized as a Leader in the 2019 Gartner Magic Quadrant for Data Center Backup and Recovery Solutions. This is the eighth report in a row, and 13 out of 14 years lifetime, IBM has been recognized as a Leader in the Gartner Magic Quadrant for Data Center Backup and Recovery Solutions for both its completeness of ...read more