The problem with passwords
The security of our systems often comes down to our ability to select a strong password. But, it turns out that many of us have poor password habits. It can be frustrating on to be greeted with a “password expired message” on a Monday morning, when we just need to log on and get work done. Then we’re asked to choose a long, strong, unique password and remember it. Faced with this challenge, we often take shortcuts and use our favorite sports team, our pet’s name, or a pattern on the keyboard. Once we come up with a password, we often write it down or end up reusing it on other systems. Combine these poor password habits with malware, keyboard logging software, and offline password database cracking, and it’s easy to see why protecting systems with only passwords is falling out of favor.
One way to mitigate many inherent issues with passwords is to use multi-factor authentication (MFA). A system that uses MFA requires that users provide two different authentication factor types. Each type must be from a separate authentication factor category, when authenticating to the system. The authentication factor categories are:
- Something you know (such as a password or PIN code)
- Something you have (such as an ID badge or cryptographic token device)
- Something you are (such as a fingerprint or retinal scan)
Systems that require MFA are resistant to many of the attacks that target passwords. Accounts cannot be compromised, even if someone has captured one of the authentication factors. If your cryptographic token is stolen, the PIN code must also be compromised to gain access to your account. If your password is recorded by a malware infected PC, a token device is still required to log on. The extra authentication assurance provided by MFA can be the difference between a secure system and a compromised one.
IBM Multi-Factor Authentication for z/OS
IBM Multi-Factor Authentication for z/OS is a new product that works together with RACF. Once IBM MFA is installed and configured, the security administrator can use RACF commands to provision z/OS users to require MFA authentication at log-on. Once provisioned for MFA, users are required to provide multiple factors when authenticating to z/OS applications. When these users log on to z/OS applications, RACF detects that the user requires MFA authentication and calls the IBM MFA product. Additionally, RACF logs the MFA authentication event to SMF.
Most z/OS applications that authenticate users with SAF interfaces do not need to be updated to use MFA. They simply continue to prompt users for a user ID and authenticator and pass it to SAF/RACF. An application bypass option is provided to support authentication with the RACF password for applications that cannot yet support MFA. IBM MFA also has support for session managers or other similar applications, which authenticate users with a PassTicket. For recovery scenarios, RACF offers an MFA Password Fallback option which can allow MFA users to authenticate with their password when MFA processing becomes unavailable.
Starting with z/OS V2R1 with required PTFs, IBM MFA and the RACF MFA infrastructure are available with support for RSA SecurID hard and soft tokens, IBM TouchToken and PIV/CAC /Certificate based Smart Card authentication with RACF password.