Introduction to IBM MFA

IBM® Multi-Factor Authentication for z/OS®, which is referred to in this document as IBM MFA, provides alternate authentication mechanisms for z/OS networks that are used in conjunction with RSA SecurID-based authentication systems, Apple Touch ID devices, certificate authentication options such as PIV/CAC cards, and more. IBM MFA allows RACF to use alternate authentication mechanisms in place of the standard z/OS password.

The most common method for authenticating users to z/OS systems is by the use of passwords or password phrases. Unfortunately, passwords can present a relatively simple point of attack for exploitation. In order for systems that rely on passwords to be secure, they must enforce password controls and provide user education. Users tend to pick common passwords, write down passwords, and unintentionally install malware that can log passwords. Additionally, building an extremely powerful dedicated password cracking computer system has become trivial and low-cost. Clients are looking for ways to raise the assurance level of their systems by requiring additional authentication factors for users.

You can use IBM MFA with a large variety of applications. Some examples provided in this document include:
  • TSO/E. Time Sharing Options (TSO/E) allows users to create an interactive session with the z/OS system. TSO provides a single-user logon capability and a basic command prompt interface to z/OS.
  • CICS CESL. Customer Information Control System (CICS) is a family of application servers and connectors that provides industrial-strength, online transaction management and connectivity for mission-critical applications.
  • z/OSMF. IBM z/OS Management Facility (z/OSMF) provides a web-based interface that allows you to manage various aspects of your z/OS systems through a browser.
  • IBM OpenSSH. OpenSSH provides secure encryption for both remote login and file transfer.