Although application layer security is not standardized, there is one application layer form of security that approaches an industry standard: user ID and password authentication.

On z/OS, the authorizations granted to an end user are all associated with the active user ID. When a user logs onto telnetd for example, a SAF call is made to verify that the password supplied matches that of the user ID. Once verified, this user ID becomes associated with a security environment that lasts the duration of the session. SAF products such as RACF allow the creation of specific password rules, forcing them to be of a minimum length, to be renewed regularly, to be not repeated, and to contain a variety of character types.

Although it is often taken for granted, the user ID and password method of authorization is still arguably the best.