Authentication Improvements in IBM Cloud
21 March 2023
6 min read
In 2023, IBM Cloud is rolling out changes that will give you additional control and capabilities to better protect your user and Cloud account.

These capabilities include changes to multifactor authentication (MFA) default settings for both new and existing accounts. A first notification regarding upcoming changes was already been sent out on March 15th, 2023, to IBM Cloud customers, and subsequent update notifications will soon follow with more detailed instructions.

 
Overview

This blog will give you insight into the recent changes that have already been enabled in IBM Cloud or will be enabled soon:

  • Configure authentication requirements for individual users: Since February 2023, you are able to specify different levels of ID-based multifactor authentication (MFA) for the whole account and for individual users. This gives you more flexibility in how to enroll MFA requirements inside your account and removes some impediments of being able to use ID-based MFA in your account, generally.

  • Disable login to CLI with username/password only: Logging in to the Command Line Interface (CLI) using a username/password combination is only used by a minority of customers, and even those customers typically need this feature for only a select number of individual users. Username/password authentication for the CLI was automatically disabled when the customer chose to require multifactor authentication for its users. With the latest updates, you can block CLI logins using username/password without requiring your users to apply multifactor authentication on each login.

  • New default authentication setting for IBM Cloud accounts: Disabling CLI logins using a username/password is an important feature to prevent account compromises. Nevertheless, this will only help if this feature will be adopted by customers broadly. Therefore, this account setting will be default for all new IBM Cloud accounts and will be set as default for IBM Cloud accounts which still have not enabled any level of multifactor authentication.

The following sections will dive deeper into each change and feature and explain the consequences and improvements for you.

Configure authentication requirements for individual users

IBM Cloud offers two types of multifactor authentication (MFA): ID-based MFA and account-based MFA. While ID-based MFA is the preferred multifactor authentication, it requires you to enable this on the whole IBM Cloud account. The following screenshot shows the ID-based MFA option for the account:

IBM Cloud Identity and Access Management: Authentication settings for the IBM Cloud account.

Since February 2023, in addition to the already existing account-wide ID-based MFA requirement, IAM administrators can now configure an individual ID-based MFA requirement for each user that is a member of the IBM Cloud account (see also this Release Note). This way, customers can enable, for example, a minimum security level of using TOTP or Security Keys on the IBM Cloud account for all users, but exempt a special functional user that is required to log in to the IBM Cloud CLI using its username and password for automation purposes. In such a scenario, please make sure to use a sufficiently complex password and implement a periodic rotation for the functional user to minimize security exposure. The following screenshot shows how to exempt a user from ID-based MFA:

Individual authentication settings for a user in the IBM Cloud Account.

You can use this new feature also to roll out ID-based MFA slowly across the users of an account. In this case, you would keep the IBM Cloud default authentication requirement to not require MFA from all users, but you would enable ID-based MFA on individual users. This way, you can control the sequence inside your IBM Cloud account of how ID-based MFA will be adopted by users to let your key users first collect some experience with the enrollment of ID-based MFA so they can help their colleagues with later adoption. Eventually, you would likely enable ID-based MFA as account default and remove the user’s individual settings, in such a scenario.

Disable login to CLI with username/password only

When a user creates an IBM Cloud account, by default, all users in this account will be able to log in via Command Line Interface using their username and password. This functionality can be used to automate operations work or to implement a build and deployment pipeline:

> ibmcloud login

API endpoint: https://cloud.ibm.com

Email> someuser@somecompany.com

Password> *********

Authenticating…

OK

Enabling this feature for all users in an account is unnecessarily enabling an attack vector, as this interface can also be misused by attackers trying to take over your user account. While IBM Cloud has sophisticated methods in place to detect a variety of attack patterns against user accounts and block those attacks, some scenarios—such as revealing a user password by eavesdropping or social engineering—might still be successful.

To close this attack vector, IBM Cloud now allows you to disable access to the Command Line Interface using a username and password with a simple switch in your account. If you need to enable Command Line Interface access using a username and password for an individual user, you can still disable access for all users by default, but exempt individual users when needed using “Configure authentication requirements for individual users” as described before.

Access to the Command Line Interface is not completely closed. Users still can log in using the “one-time passcode” method or use an API key:

>ibmcloud login --sso

API endpoint: https://cloud.ibm.com

Region: us-south

Get a one-time code from https://identity-1.us-south.iam.cloud.ibm.com/identity/passcode to proceed.

Open the URL in the default browser? [Y/n] > y

One-time code > ********

Authenticating…

OK

Generally, IBM recommends to use API key for automation purposes instead of username/password wherever possible:

>ibmcloud login --apikey @filename

API endpoint: https://cloud.ibm.com

Region: us-south

Authenticating…

OK

In addition, by disabling the Command Line login from using a username and password only, this will also change the interactive login sequence with IBMid slightly. If IBMid detects that you are logging in to a new device or browser, it will ask you for an additional factor (e.g., a passcode sent to you via email). Once a user has logged in using an additional factor on a new device one time, they will not be prompted for that factor again. This feature is also called “device MFA.” This change prevents certain programmatic attack vectors and will enhance the security of your users’ accounts without bothering the user on each login interaction:

This “Disable login to CLI with username/password only” feature first has to be enabled manually like any other multifactor authentication option by an account IAM administrator (i.e., your users will only benefit from this security enhancement if you manually enable it):

New default authentication setting for IBM Cloud accounts

IBM Cloud accounts should be secure by default. Therefore, IBM Cloud will make sure that whenever an IBM Cloud account is created, the authentication settings will be preset to disable Command Line Interface logins with username and password. Together with this option, users will be required to do device-dependent multifactor authentication from IBMid if they use a new device or browser to log in to IBMid. Existing accounts that have not enabled any level of multifactor authentication will also benefit from this enhancement.

It is important to note that there are certain situations when this new default authentication setting might prevent an existing workflow.

For example, if you have automated the creation of IBM Cloud accounts inside an Enterprise structure, this new default setting will force the customer to do either a manual CLI login using a one-time passcode or generate an API key after doing a UI login into the Cloud Console before any further automation can be executed on that newly created account. Also, existing IBM Cloud accounts might rely on the ability to do a CLI login using a username/password combination.

In both cases, IBM will provide guidance through additional notifications about how to create new accounts in an enterprise with the ability to execute a CLI login using a username/password combination. Furthermore, IBM will give you a mechanism to opt-out from updating your existing account’s authentication settings, so any existing automation will continue to work without modifications.

Summary

In the coming weeks and months, you will see continued recommendations and capabilities to enhance the security posture of your IBM Cloud accounts. In a world where a large majority of security breaches involve login credentials—whether they be stolen via social engineering, credential stuffing or hacked using brute force—it is more important than ever to ensure your accounts are secured.

Although IBM provides generous security configuration flexibility, we recommend that you avoid using weak security settings and enable MFA for all your users and accounts. In addition, instead of using CLI logins that require only a username/password combination, you should switch to using API keys that provide a higher level of security.

We also recommend that you don’t wait for IBM to update the authentication settings on your account; you should take immediate action to select a multifactor authentication level in your account that matches your requirements. This way, you have better control over who will adopt MFA and when. Furthermore, you will have confidence that your IBM Cloud account is configured to prevent account compromise in the best way possible.

Author
Martin Smolny IBM Cloud Identity and Access Management
Thomas Dürr IBM Cloud Platform - IAM Development