IBM Multi-Factor Authentication – Increasing assurance for a secured infrastructure

Share this post:

There are many complex facets of computer security, but some of the most basic safeguards are also the most common avenues that criminals use to gain access to people’s systems. Many reported breaches are directly caused by weak, default, and stolen passwords. These breaches are costly both to an organization’s bottom line and to their reputation. One of the most important measures we can take is to ensure that the users of our systems are authenticated with high assurance. Relying on passwords to protect mission-critical systems is no longer the only option.

The problem with passwords

The security of our systems often comes down to our ability to select a strong password. But, it turns out that many of us have poor password habits. It can be frustrating on to be greeted with a “password expired message” on a Monday morning, when we just need to log on and get work done. Then we’re asked to choose a long, strong, unique password and remember it. Faced with this challenge, we often take shortcuts and use our favorite sports team, our pet’s name, or a pattern on the keyboard. Once we come up with a password, we often write it down or end up reusing it on other systems. Combine these poor password habits with malware, keyboard logging software, and offline password database cracking, and it’s easy to see why protecting systems with only passwords is falling out of favor.

Multi-Factor Authentication

One way to mitigate many inherent issues with passwords is to use multi-factor authentication (MFA). A system that uses MFA requires that users provide two different authentication factor types. Each type must be from a separate authentication factor category, when authenticating to the system. The authentication factor categories are:

  • Something you know (such as a password or PIN code)
  • Something you have (such as an ID badge or cryptographic token device)
  • Something you are (such as a fingerprint or retinal scan)

Systems that require MFA are resistant to many of the attacks that target passwords. Accounts cannot be compromised, even if someone has captured one of the authentication factors. If your cryptographic token is stolen, the PIN code must also be compromised to gain access to your account. If your password is recorded by a malware infected PC, a token device is still required to log on. The extra authentication assurance provided by MFA can be the difference between a secure system and a compromised one.

IBM Multi-Factor Authentication for z/OS

IBM Multi-Factor Authentication for z/OS is a new product that works together with RACF. Once IBM MFA is installed and configured, the security administrator can use RACF commands to provision z/OS users to require MFA authentication at log-on. Once provisioned for MFA, users are required to provide multiple factors when authenticating to z/OS applications. When these users log on to z/OS applications, RACF detects that the user requires MFA authentication and calls the IBM MFA product. Additionally, RACF logs the MFA authentication event to SMF.

Most z/OS applications that authenticate users with SAF interfaces do not need to be updated to use MFA. They simply continue to prompt users for a user ID and authenticator and pass it to SAF/RACF. An application bypass option is provided to support authentication with the RACF password for applications that cannot yet support MFA. IBM MFA also has support for session managers or other similar applications, which authenticate users with a PassTicket. For recovery scenarios, RACF offers an MFA Password Fallback option which can allow MFA users to authenticate with their password when MFA processing becomes unavailable.

Starting with z/OS V2R1 with required PTFs, IBM MFA and the RACF MFA infrastructure are available with support for RSA SecurID hard and soft tokens, IBM TouchToken and PIV/CAC /Certificate based Smart Card authentication with RACF password.

Click here to learn more about IBM MFA.

IBM Senior Software Engineer, z/OS Security

Add Comment
No Comments

Leave a Reply

Your email address will not be published.Required fields are marked *

More Servers stories

3 paradigm shifts for IT operations on IBM Z to support digital enterprise

Good news! IBM Z is perfectly equipped to be at the center of your digital enterprise; 80 percent of corporate structured data and 55 percent of all enterprise transactions reside on IBM Z with only 6.2 percent of total corporate server expenditure[1]. It is the only platform capable of encryption of 100 percent of your […]

Continue reading

The latest on IBM Z and LinuxONE: Learn more at IBM TechU

The market is abuzz with the latest IBM Z and LinuxONE announcements.  The new single frame 19-inch z14 and LinuxONE are here, with air flow, storage and system integrated into a standard rack. That means the ability to process over 850 million fully encrypted transactions in a single system that takes up the space of […]

Continue reading

Keeping the pace of innovation for mainframe

Business demands for trusted digital experiences and greater agility are two of the strongest currents driving business transformation and modernization these days, especially in the mainframe arena. This week, IBM is announcing a single-frame IBM Z built on an industry-standard 19” form factor, designed to create a low-cost, secure cloud infrastructure and capitalize on new […]

Continue reading