Multi-Factor Authentication (MFA)

Multi-factor authentication (MFA) requires that two or more authentication factors are presented during logon to verify a user's identity. Each authentication factor must be from a separate category of credential types: something that you know, something that you have, and something that you are. IBM® Multi-Factor Authentication for z/OS® (IBM MFA) enables CICS® to authenticate with multiple authentication factors.

The following types of credential are used in Multi-Factor Authentication:
Something that you know
For example, a password or a security question.
Something that you have
For example, a physical access control such as an ID badge, or a cryptographic token device.
Something that you are
For example, a fingerprint or other biometric data.

To see which CICS access methods support MFA, see Which authentication method can I use with which access method?.

Why use MFA?

MFA is more secure than single factor authentication because it is not compromised if one of the factors is discovered. Use MFA whenever possible, particularly to protect access to high value data or sensitive data. MFA should also be used whenever nonrepudiation is required. MFA is required for compliance with many security standards, such as PCI DSS (Payment Card Industry Data Security Standard).

IBM Multi-Factor Authentication for z/OS (IBM MFA)

IBM Multi-Factor Authentication for z/OS (IBM MFA) supports authenticating with multiple authentication factors. You can configure profiles for RACF® users to require authentication through IBM MFA. RACF calls IBM MFA to help make the authentication decision during logon processing. See Multi-Factor Authentication for z/OS in z/OS Security Server RACF Security Administrator's Guide for an overview of MFA.

MFA tokens are supported on CICS session-based logon interfaces: CESN, CESL, CICSPlex® SM WUI, and CICS Explorer®.

There are two ways of using MFA:
In-band authentication
You generate a token by using one of the IBM MFA options and use that token directly to log on. CICS supports in-band MFA tokens if they can be entered as a single character string.
Figure 1 illustrates in-band authentication with an MFA solution, such as RSA SecurID:
  1. The user logs on with a user ID and an RSA SecurID token and PIN®.
  2. CICS calls RACF to authenticate this information.
  3. When RACF determines that the user is an MFA user, RACF calls the RACF MFA server.
  4. The RACF MFA server calls RACF to retrieve the user's MFA factor details.
  5. The RACF MFA server validates the user's authentication factors by calling the RSA server.
  6. The MFA server passes back a return code to RACF.
  7. RACF passes back the return code to CICS.
  8. The user is either authenticated or rejected.
Figure 1. MFA in-band authentication
MFA in-band authentication
Out-of-band authentication
Allows you to authenticate on a user-specific web page with one or more factors, possibly in a sequence to obtain a one-time-use token that you use to log in. CICS supports out-of-band MFA tokens.
Figure 2 illustrates out-of-band authentication:
  1. The user pre-authenticates through the RACF MFA web server.
  2. The RACF MFA web server calls the RACF MFA server, which stores the pre-authentication record in a session cache.
  3. The RACF MFA web server returns a One Time Passcode (OTP).
  4. The user logs on with a user ID and the OTP
  5. CICS calls RACF to authenticate this information.
  6. When RACF determines that the user is an MFA user, RACF calls the RACF MFA server.
  7. The RACF MFA server calls RACF to retrieve the user's MFA factor details.
  8. The RACF MFA server validates the user's authentication factors by checking the session cache.
  9. The MFA server passes back a return code to RACF.
  10. RACF passes back the return code to CICS.
  11. The user is either authenticated or rejected.
Figure 2. MFA out-of-band authentication
MFA out-of-band authentication

Configuring RACF for compound in-band MFA terminal signon

Compound in-band authentication requires the user to supply an MFA token along with their existing password or phrase when the user signs on at a terminal. If the user's existing credentials are expired, then they are typically prompted to enter a new password or phrase. The signon is attempted again, which fails because the MFA token that was supplied has already been used by the initial signon attempt.

To allow MFA users to successfully signon and change their expired credentials, you need to activate the IDTDATA class in RACF. This can be done by using the following command;

SETROPTS CLASSACT(IDTDATA)

You only need to create more profiles within the class when you want to change the default behavior of the generated IDTs. These IDTs are only used internally by CICS and do not require to be signed.

For more information about configuring the IDTs, see the IDTPARMS section of RDEFINE (Define general resource profile) or Activating and using the IDTA parameter in RACROUTE REQUEST=VERIFY and initACEE.