Tips for Using Multi-Factor Authentication on IBM i

For decades, IBM i systems have served as the powerful, dependable backbone of countless enterprises. These machines typically house large volumes of sensitive information, and their continuous operation is usually essential to uninterrupted business operations. That’s why security is so important. With the sharp rise of cybersecurity threats, securing your IBM i system is more important than ever.

If your organization still relies on simple authentication based on a username and password combination, your systems are at risk. It’s time to implement multi-factor authentication.

What Is Multi-factor Authentication?

Multi-factor Authentication (MFA) requires users to verify their identities via multiple means before gaining access to a system or application. MFA combines two or more independent credentials: something the user knows (such as a password or PIN), something the user has (a security token or smartphone, for example), and something the user “is” (biometric verification like fingerprints or facial recognition). By leveraging these multiple forms of verification, MFA provides an enhanced layer of security, dramatically reducing the risk of unauthorized access.

MFA is rapidly becoming standard protocol because it introduces an additional layer of protection, ensuring that access to your critical system resources is granted only to those with the correct combination of multiple verification methods. By embracing MFA, organizations can drastically reduce the risk of unauthorized access, thereby fortifying data and applications against cyber threats.

The Simple Username/Password Approach Doesn’t Work

The main problem with the old-fashioned approach is that simple username/password combinations no longer work. Human beings have a natural inclination to simplify things, prompting them to use familiar names, dates, or similar elements when creating a password. It’s also common practice to use the same password to access multiple applications or websites or even to write down passwords and keep them in a desk drawer or other convenient location.

Although these methods make it easier for users to access systems and applications, they also make it easier for bad actors to infiltrate your IT systems.

Security experts recommend using complex passwords rather than simple ones. Complex passwords are more secure, but they increase the likelihood of lost passwords, requiring IT intervention. Moreover, users are more likely to write down complex passwords. Anyone who has physical access to the physical workspace could potentially harvest login credentials from the sticky notes hiding in a desk drawer or under a keyboard.

MFA Is the New Standard

Security experts, including organizations like NIST and BSI, recommend using simpler passwords in combination with multi-factor authentication.

Numerous industry organizations and governmental authorities are now recommending or requiring MFA. For example:

• The Payment Card Industry Data Security Standard (PCI DSS) mandates that businesses that store, process, or transmit credit card information must use MFA to protect sensitive cardholder data.
• The Federal Financial Institutions Examination Council (FFIEC) requires that financial institutions use MFA to enhance security.
• 23 NYCRR 500, a regulation from the New York Department of Financial Services (NYDFS) for financial services companies mandates the use of MFA to protect against unauthorized access to non-public information or information systems.
• The Defense Federal Acquisition Regulation Supplement (DFARS) dictates that contractors working with the US Department of Defense (DoD) must secure Controlled Unclassified Information (CUI), with MFA being a recommended security control.
• International Organization for Standardization (ISO) 27001 emphasizes access control, where MFA is often a recommended control to ensure authorized access.
• The Federal Information Security Management Act (FISMA) requires that federal agencies and their contractors deploy strong access controls, most effectively achieved using MFA.

Other privacy and security regulations either strongly suggest or outright require the use of MFA, including HIPAA, Sarbanes-Oxley, GLBA, GDPR, Swift Alliance Access, and more.

What to Look for in an MFA Solution for IBM i

MFA does away with the risks associated with weak passwords and complex passwords. Moreover, it’s customizable, simple to administer, and easy for end-users to adopt. But what should you look for in an MFA solution if your technology landscape includes IBM i systems?

You’ll want to consider the various ways in which authentication codes can be delivered to the end-user, including smartphone apps, emails, SMS text messages, biometric devices, or hardware tokens. You’ll also need to decide which authentication service you’ll use to generate codes. Options include RADIUS, RFC6238, Telesign, and others.

If you’re running an IBM i system, look for an MFA solution that integrates with that platform’s sign-on screen. You’ll also want a solution that integrates with other IBM applications and processes.

For MFA that is both robust and easy to administer, you’ll want a solution that supports custom rules to govern specific situations or user scenarios such as Group Profiles, Special Authorities, sign-on from specific IP addresses and/or devices, or at certain times of the day.

Look for a solution that allows you to protect application usage at a granular level, or to allow or block traffic using specific communication protocols such as FTP, ODBC, or REXEC.

Ease of user administration is also important. Look for an MFA solution that allows you to register users individually, or globally via group profiles or other attributes.

You should also consider whether or not you want one-step authentication (in which login information and access codes are submitted together) or multi-step authentication (in which the user must first enter a password, then a code). Ideally, your MFA solution should support both scenarios.

More Tips for Implementing MFA on IBM i

Here are additional tips to consider when implementing MFA for your IBM i system.

• What if the authentication server doesn’t respond? It’s better to check than more than one authentication server, so that if one fails the alternate system can authenticate the user.
• What if the user is QSECOFR? How do you want your MFA implementation to handle this? 
• What if a user connects from the console? How do you want your MFA solution to respond?
• What should be done with QMAXSIGN and QMAXSGNACN system values? If a user enters incorrect credentials, it’s important that they not know why their login failed. Best practices dictate changing the default messages.
• Is the coding robust, and does it leave traces in the job log or journals? It’s important to hide this information from users so that they can avoid probing for weaknesses in security.
• Are changes to MFA auditable? Any alterations to the MFA configuration must be easily auditable, and access by administrators should be prevented using exit points.

Assure Security for IBM i

Assure Security from Precisely delivers best-in-class IBM i security capabilities to help your organization establish and automate effective, comprehensive, and auditable security practices. Assure Access Control lets you enforce strict security policies to protect your systems and data with effective, automated control over every level and method of access.

Assure’s Multi-Factor Authentication strengthens logon security for configured users. Certified for RSA SecurID, Assure Multi-Factor Authentication also supports RADIUS servers or a Precisely-provided authenticator.

Ready to learn more? Read our free whitepaper, Multi-Factor Authentication for IBM i: How multi-factor authentication works and how Assure Security from Precisely can help.