Who knows more about protecting zSystems than zSystems people?

Who knows more about protecting zSystems than zSystems people? Join your zSystems Security Community now!

See the product details for IBM Z Multi-Factor Authentication - Updated for V2.0

Latest IBM Z Multi-Factor Authentication features (v2.2)

Pluggable authentication modules

For use with Linux®on Z architecture. With these modules, administrators of supported Linux distributions can configure PAM-compatible Linux applications to require users to satisfy an MFA policy before access to the application is granted.

MFA configuration option to request browser clients receiving cache token credentials mask the display of such credentials

Used in combination with new server resources to honor this setting in the IBM Z MFA user interfaces for web-based policy authentication (z/OS and Linux).

Configure multiple instances of select MFA factors

Administrators on IBM®z/OS®are now able to configure multiple instances of select MFA Factors, providing improved flexibility when a single z/OS external security manager (ESM) database supports disparate tenant user communities.

Addition of a “Console Modify”command

Use to force the invalidation of all cache token credentials currently in the IBM Z MFA cache for a given user ID (z/OS only).

Support for RSA SecurID authentication

Via the RSA REST API (z/OS and Linux).

Web-based ESM password reset feature

For users who have forgotten their ESM password but who are able to successfully authenticate to an IBM Z MFA Policy (z/OS only).

Documentation and formal support for customer use of policy authentication

For web interfaces that were previously internal and undocumented (z/OS and Linux).

Compare the features of z/OS vs. z/VM and Linux on Z

All versions of IBM Z MFA secure user logons to z/OS, using parts that run on z/OS. IBM Z MFA 2.1 introduced protection for user logons to z/VM®. IBM Z MFA 2.2 can protect Linux on Z Architecture applications that support the PAM framework, using PAM modules that run on Linux.

IBM Z MFA 2.2 supports many authentication types and integration features. A partial list of supported features and integrations is included in the table below.

  • Listings with one asterisk (*)indicate features new in version 2.2.
  • Listing with two asterisks (**) indicates authentication types evaluated directly within IBM Z MFA without the use of an external network service. Allows time-based one-time passwords.

Comparison Table

Authentication features
  z/OS z/VM and Linux on Z
Multiple authentication types* Yes No
RSA SecurID w/ACEv5 UDP Yes Yes
TOTPs** Yes Yes
Generic RADIUS PAP via UDP Yes Yes
Generic RADIUS PAP via TCP Yes Yes

Additional IBM Z Multi-Factor Authentication features

Expanded across z/VM operating systems (new in 2.1)

Most features supported on z/OS will work on z/VM all under one license. Order via ShopZ, get both operating systems, choose which one to install, and leverage existing MFA infrastructure.

Protection beyond the z/OS Sysplex Boundary (new in 2.1)

Supports the production of secure credentials that can be used both within and beyond the boundary of the sysplex where the credential was generated. This simplifies MFA configurations in large environments.

Extensions for RACF, ACF2 and TopSecret with auditing and provisioning

Introduce factor extensions to components of IBM RACF®, ACF2 and TopSecret user-related commands. Extend Security Authorization Facility (SAF) programming interfaces to define supported tokens during user authentication requests, enabling MFA-aware applications to specify factors in addition to RACF, ACF2 and TopSecret passwords or phrases. Audit extensions and provision and define MFA tokens using RACF, ACF2 and TopSecret user-related commands.

RADIUS support: RSA, Gemalto and generic

Use any factor based on the RADIUS standard protocol through the IBM Z MFA RADIUS gateway. Support RSA SecurID Token, with time-based algorithm, hard token or software-based tokens. RSA SecureID and Gemalto SafeNet implementations offer more robust and granular messaging.

IBM CIV integration

In addition to the existing factor support, IBM Z MFA includes IBM Cloud Identity Verify (CIV) integration using the CIV RADIUS gateway and IBM Z MFA generic RADIUS protocol factor. CIV integration supports compound in-band authentication, where the CIV-generated OTP can be used with a RACF password or password phrase.

IBM TouchToken and generic TOTP

IBM TouchToken enables user authentication to be directly evaluated on z/OS to ensure a means of enforcing two-factor authentication with no additional off-platform validation. Generic TOTP support includes generic TOTP token applications, including standard-compliant TOTP third-party applications on Android and Microsoft Windows devices.

Compound authentication

Enforce compound authentication, where more than one factor is required in the authentication process. Compound in-band authentication requires the user to supply a RACF credential (password or password phrase) in conjunction with a valid MFA credential.

Centralized RACF, ACF2 and TopSecret database support

Store authentication data in the RACF, ACF2 or TopSecret database, define and alter MFA data with RACF, ACF2 or TopSecret commands, and unload non-sensitive MFA fields in the database with DBUNLOAD utility. z/OS® Security Server RACF, ACF2 and TopSecret enablement consists of updates to the database, commands, callable services, logon processing and utilities.

IBM ISAM integration

Initiate authentication via IBM Security Access Manager (ISAM), using the “pick-up One-Time Passcode (OTP) procedure.” Use the OTP is used instead of the password when logging on to z/OS. ISAM integration supports compound in-band authentication, where the ISAM-generated OTP can be used in conjunction with the user's RACF password or passphrase.

Native Yubico support

Utilize a variety of Yubikey devices that support the Yubico OTP algorithm. IBM Z MFA does not require an external authentication server, and all OTP evaluation is performed on the z/OS system by the IBM Z MFA started task.

Certificate-based authentication, PIV, CAC card support

Establish the foundation for supporting any certificate-based authentication system. Enable authentication for Personal Identity Verification (PIV) and Common Access Card (CAC) smart cards commonly used in federal government.

Fault tolerance and application exemption

Exempt MFA processing for applications with authentication properties that can prevent MFA from working properly. Define SAF profiles that will mark certain applications as excluded from MFA and allow a user to logon to that application with password, password phrase or PassTicket. Conversely, use SAF profiles to create inclusion policies to ease adoption of MFA for selected users and applications.