Security

IBM Multi-Factor Authentication – Increasing assurance for a secured infrastructure

Share this post:

There are many complex facets of computer security, but some of the most basic safeguards are also the most common avenues that criminals use to gain access to people’s systems. Many reported breaches are directly caused by weak, default, and stolen passwords. These breaches are costly both to an organization’s bottom line and to their reputation. One of the most important measures we can take is to ensure that the users of our systems are authenticated with high assurance. Relying on passwords to protect mission-critical systems is no longer the only option.

The problem with passwords

The security of our systems often comes down to our ability to select a strong password. But, it turns out that many of us have poor password habits. It can be frustrating on to be greeted with a “password expired message” on a Monday morning, when we just need to log on and get work done. Then we’re asked to choose a long, strong, unique password and remember it. Faced with this challenge, we often take shortcuts and use our favorite sports team, our pet’s name, or a pattern on the keyboard. Once we come up with a password, we often write it down or end up reusing it on other systems. Combine these poor password habits with malware, keyboard logging software, and offline password database cracking, and it’s easy to see why protecting systems with only passwords is falling out of favor.

Multi-Factor Authentication

One way to mitigate many inherent issues with passwords is to use multi-factor authentication (MFA). A system that uses MFA requires that users provide two different authentication factor types. Each type must be from a separate authentication factor category, when authenticating to the system. The authentication factor categories are:

  • Something you know (such as a password or PIN code)
  • Something you have (such as an ID badge or cryptographic token device)
  • Something you are (such as a fingerprint or retinal scan)

Systems that require MFA are resistant to many of the attacks that target passwords. Accounts cannot be compromised, even if someone has captured one of the authentication factors. If your cryptographic token is stolen, the PIN code must also be compromised to gain access to your account. If your password is recorded by a malware infected PC, a token device is still required to log on. The extra authentication assurance provided by MFA can be the difference between a secure system and a compromised one.

IBM Multi-Factor Authentication for z/OS

IBM Multi-Factor Authentication for z/OS is a new product that works together with RACF. Once IBM MFA is installed and configured, the security administrator can use RACF commands to provision z/OS users to require MFA authentication at log-on. Once provisioned for MFA, users are required to provide multiple factors when authenticating to z/OS applications. When these users log on to z/OS applications, RACF detects that the user requires MFA authentication and calls the IBM MFA product. Additionally, RACF logs the MFA authentication event to SMF.

Most z/OS applications that authenticate users with SAF interfaces do not need to be updated to use MFA. They simply continue to prompt users for a user ID and authenticator and pass it to SAF/RACF. An application bypass option is provided to support authentication with the RACF password for applications that cannot yet support MFA. IBM MFA also has support for session managers or other similar applications, which authenticate users with a PassTicket. For recovery scenarios, RACF offers an MFA Password Fallback option which can allow MFA users to authenticate with their password when MFA processing becomes unavailable.

Starting with z/OS V2R1 with required PTFs, IBM MFA and the RACF MFA infrastructure are available with support for RSA SecurID hard and soft tokens, IBM TouchToken and PIV/CAC /Certificate based Smart Card authentication with RACF password.

Click here to learn more about IBM MFA.

More Security stories

The next “tick” of SUSE Linux Enterprise Server for IBM Z and LinuxONE

Linux on z, LinuxONE solutions, Mainframes

The working philosophy at Fort Vale is “continuous improvement” according to the UK-based engineering company deploying its new ERP system on SUSE Linux Enterprise Server and IBM LinuxONE. Continuous improvement is also a good theme for the next “tick” of SUSE Linux Enterprise Server – following the “tick-tock” approach that SUSE uses for releases. SLES ...read more


Spartan Group helps accelerate demand for digital asset-based products

Blockchain, Data security, LinuxONE solutions

Digital assets, particularly in the form of cryptocurrencies and tokens, have been the subject of a great deal of press coverage over the last 18-24 months. Research from Fidelity Investments suggests that 22 percent of institutional investors are already exposed to digital assets, with 40 percent being open to future investments.[1] These figures demonstrate an ...read more


Announcing IBM Cloud Hyper Protect DBaaS for MongoDB

Cloud computing, Data security, LinuxONE solutions

As business leaders look to leverage the cloud, enterprises in highly regulated industries are typically concerned about protecting confidential and sensitive customer data. We have seen that public reports of unauthorized user access, encryption details, or exposure of data by internal users have been rising at an alarming rate. Given the high average cost of ...read more