IBM Security Z Security

Introducing IBM Z Multi-Factor Authentication V2.0

By Michael Zagorski posted Tue May 14, 2019 11:14 AM

  

I’m proud to be part of the team that brings you a major release of our multi-factor authentication offering for the mainframe. Before we dig into the new features and enhancements let’s discuss a slight name change. The old name was IBM Multi-Factor Authentication for z/OS. The new name is IBM Z Multi-Factor Authentication, or IBM Z MFA for short.

Below is short description of “what’s new” in the release and I encourage you to explore further by checking out the other assets I’ve listed at the end of this blog. I just posted a new MFA topic on the Discussion forum and I hope you’ll contribute your 2 cents as well.

We’ll also be adding more MFA best practices, tips and tricks to the Z Security Community in the coming weeks, so stay tuned!

 

IBM Z MFA V2.0 Summary


ISAM Integration (ISAM pick up OTP, CIV Integration via RADIUS)

What is it? IBM Z MFA adds a new factor to allow easier integration with ISAM.  The user will initially authenticate to ISAM to get a One-Time Passcode (OTP). They then use that OTP when logging on to z/OS.


Client Value

  • Simplify Administration
  • Leverage existing investment
  • Integration between IBM solutions

 

Native Yubikey


What? 
New factor to support YubiKey devices with the Yubico OTP algorithm directly on z/OS.  This capability does not require an external authentication server because all OTP evaluation is performed on the z/OS system.


Client Value

  • Simplify Administration
  • No need for an external server

 

LDAP Simple Bind


What? 
New factor for authenticating to a variety of LDAP servers, including Microsoft Active Directory, using Simple Bind.


Client Value

  • New factor to leverage an Active Directory password
  • Use AD password with another token via out-of-band support

 

Policy First Update


What?  
Updated the Out-of-Band interface which requires the user to enter a policy before they enter any credentials such as a user ID.


Client Value

  • Eliminates the potential for User ID enumeration
  • Increased security

 

JWT Support


What? 
Support for RACF Identity Tokens – Support for SAF and RACF authentication processing to support generation and validation of Identity Tokens. These tokens are in the format of a JSON Web Token (JWT). This Identity Token support will allow z/OS applications and RACF to link together multiple authentication API calls.


Client Value

  • Provides a framework for better integration between applications and MFA

 

Out of Band - National Language Support & Customization


What?  
Updating the out-of-band server to support multiple languages.  In addition we will now allow some degree of customization to the text presented to the user.


Client Value

  • Allows the client to customize the OoB interface

 

Self-Service Password Change


What? 
New web interface that will allow users to change their RACF (or another ESM) password or password phrase via a web browser.


Client Value

  • Simplify Administration
  • Fewer calls to help desk

 

Additional Resources

IBM Announcement Letter (US version)

IBM Z MFA marketplace web pages with more resources (FAQ, blogs and articles, webinars, related product info, etc)

 


#zSecure
0 comments
35 views

Permalink