IBM Z Multi-Factor Authentication features

Extensions for RACF with auditing and provisioning

Introduce factor extensions to components of IBM RACF® user-related commands. Extend Security Authorization Facility (SAF) programming interfaces to define supported tokens during user authentication requests, enabling MFA-aware applications to specify factors in addition to RACF passwords or phrases. Audit extensions and provision and define MFA tokens using RACF user-related commands.

Centralized RACF database support

Store authentication data in the RACF database, define and alter MFA data with RACF commands, and unload non-sensitive MFA fields in the RACF database with DBUNLOAD utility. z/OS® Security Server RACF enablement consists of updates to the RACF database, RACF commands, callable services, logon processing and RACF utilities.

RADIUS support: RSA, Gemalto and generic

Use any factor based on the RADIUS standard protocol through the IBM Z MFA RADIUS gateway. Support RSA SecurID Token, with time-based algorithm, hard token or software-based tokens. RSA SecureID and Gemalto SafeNet implementations offer more robust and granular messaging.

IBM ISAM integration (new in IBM Z MFA V2)

Initiate authentication via IBM Security Access Manager (ISAM), using the “pick-up One-Time Passcode (OTP) procedure.” Use the OTP is used instead of the password when logging on to z/OS. ISAM integration supports compound in-band authentication, where the ISAM-generated OTP can be used in conjunction with the user's RACF password or passphrase

IBM CIV integration

In addition to the existing factor support, IBM Z MFA includes IBM Cloud Identity Verify (CIV) integration using the CIV RADIUS gateway and IBM Z MFA generic RADIUS protocol factor. CIV integration supports compound in-band authentication, where the CIV-generated OTP can be used with a RACF password or password phrase.

Native Yubico support (new in IBM Z MFA V2)

Utilize a variety of Yubikey devices that support the Yubico OTP algorithm. IBM Z MFA does not require an external authentication server, and all OTP evaluation is performed on the z/OS system by the IBM Z MFA started task.

IBM TouchToken and generic TOTP

IBM TouchToken enables user authentication to be directly evaluated on z/OS to ensure a means of enforcing two-factor authentication with no additional off-platform validation. Generic TOTP support includes generic TOTP token applications, including standard-compliant TOTP third-party applications on Android and Microsoft Windows devices.

Certificate-based authentication, PIV, CAC card support

Establish the foundation for supporting any certificate-based authentication system. Enable authentication for Personal Identity Verification (PIV) and Common Access Card (CAC) smart cards commonly used in federal government.

Compound authentication

Enforce compound authentication, where more than one factor is required in the authentication process. Compound in-band authentication requires the user to supply a RACF credential (password or password phrase) in conjunction with a valid MFA credential.

Fault tolerance and application exemption

Exempt MFA processing for applications with authentication properties that can prevent MFA from working properly. Define SAF profiles that will mark certain applications as excluded from MFA and allow a user to logon to that application with password, password phrase or PassTicket. Conversely, use SAF profiles to create inclusion policies to ease adoption of MFA for selected users and applications.

Technical details

Hardware requirements

IBM Z MFA requires one of the following Z family servers:

  • IBM z14
  • IBM z13
  • IBM z13s
  • IBM zEnterprise EC12 (zEC12)
  • IBM zEnterprise BC12 (zBC12)

Software requirements

IBM Z MFA requires:

  • RSA Authentication Manager 8.1 for RSA SecurID exploitation
  • For SafeNet support, access to an external Gemalto SafeNet Authentication Service server
  • Web browser: TLS 1.2 session capable; operates w/ local smart card drivers if smart cards are used
  • For generic RADIUS support, access to an external server that supports the RADIUS PAP protocol.
  • On-premises ISAM instance V9.0.6, or access to a CIV instance if using this support
  • Tokens compatible with either IBM Z MFA supported factors or ISAM

Technical specifications

Prerequisites for IBM Z MFA:

  • z/OS V2.2 Security Server RACF 2.2, or later, with PTFs for MFA support

You may also be interested in

Consider these related products in the IBM Security family

IBM Security Access Manager

IBM Security Verify Access, formerly IBM Security Access Manager or ISAM, helps you simplify your users' access while more securely adopting web, mobile, IoT and cloud technologies. It can be deployed on-premises, in a virtual or hardware appliance or containerized with Docker. Verify Access helps you strike a balance between usability and security through the use of risk-based access, single sign-on, integrated access management control, identity federation and mobile multi-factor authentication. Take back control of your access management with Verify Access.

Learn more

IBM Security Verify for Workforce IAM

IBM Security Verify helps organizations infuse identity as a central pillar of a zero trust strategy to provide both a frictionless and secure experience for every user. Verify delivers a modernized, modular IAM platform that leverages unparalleled context for decsions about who should be able to access what, with AI-powered, risk-based authentication. It takes a highly consumable, API-first approach with a robust, guided developer experience to fit custom needs, while integrating with comprehensive security workflows including threat management and incident response. Verify delivers smart identity for the hybrid multicloud world.

Learn more

IBM Security zSecure Admin

IBM® Security zSecure™ Admin automates and simplifies IBM Resource Access Control Facility (RACF®) security and compliance administration tasks and enhances RACF delegation capabilities and identity governance. By automating many recurring system administration functions and enhancing the native RACF authorization and delegation capabilities, zSecure Admin helps you maximize IT resources, reduce errors, increase efficiency, improve service quality and identify problems quickly to help minimize security risks and demonstrate compliance.

Learn more