IBM Security Z Security

 View Only

Happy Cybersecurity Awareness Month - Announcing IBM Z MFA 2.3!

By Jared Hunter posted Tue October 03, 2023 06:09 PM


This October marks the twentieth annual Cybersecurity Awareness Month, originally launched in 2004 by the National Cybersecurity Alliance and the U.S. Department of Homeland Security.  Just a few months earlier, your humble author joined Rocket Software, where I logged on to TSO for the very first time.

A few (or maybe more than a few!) years later, I became one of the original architects of IBM Z MFA, and am thankful that Cybersecurity Awareness Month 2023 is focusing on multi-factor authentication as a key behavior this year.

IBM Z MFA 2.3 Announced!

With today's announcement of IBM Z MFA version 2.3, I'm celebrating a little extra.  There are great new features coming in this release, and I'm excited to finally be able to talk about them publicly.

SSO Pattern Support

Our customers have been asking for integration with enterprise SSO frameworks, and we've been listening.  The new /jwt2ctc web service and associated AZFOIDC1 factor, and a new Node.js application that consumes the web service, will bridge between a customer's OpenID Connect IdP and their applications running on z/OS.

Easier and More Robust LDAP Factor Administration

Instead of configuring the full Distinguished Name (DN) to use when testing a user's LDAP password, IBM Z MFA 2.3 will allow the MFA administrator to provision the LDAP factor using information that's both closer at-hand and very unlikely to change.  IBM Z MFA 2.3 can automatically detect a user's DN by searching the LDAP directory for some other identifier (like an e-mail address).  If an employee changes roles in a way that alters their LDAP DN, that change can be handled automatically by IBM Z MFA 2.3 (both on z/OS and in the Linux version of Z MFA).

User-driven Password Fallback

This is an advanced system availability feature for IBM Z MFA 2.3 on z/OS.  It provides an MFA-managed supplement to the existing Password Fallback function. User-driven Password Fallback can ensure system availability even if a piece of required MFA infrastructure is attacked or impacted in a way that IBM Z MFA cannot detect itself.  It can also be used with any surrounding MFA configuration, even those that rely exclusively on out-of-band credential processing.

Watch for future blog posts that dig into the details of User-driven Password Fallback, and other new features in IBM Z MFA 2.3!