IBM Security Z Security

Introducing IBM Z Multi-Factor Authentication V2.0

By Michael Zagorski posted Tue May 14, 2019 11:14 AM


I’m proud to be part of the team that brings you a major release of our multi-factor authentication offering for the mainframe. Before we dig into the new features and enhancements let’s discuss a slight name change. The old name was IBM Multi-Factor Authentication for z/OS. The new name is IBM Z Multi-Factor Authentication, or IBM Z MFA for short.

Below is short description of “what’s new” in the release and I encourage you to explore further by checking out the other assets I’ve listed at the end of this blog. I just posted a new MFA topic on the Discussion forum and I hope you’ll contribute your 2 cents as well.

We’ll also be adding more MFA best practices, tips and tricks to the Z Security Community in the coming weeks, so stay tuned!


IBM Z MFA V2.0 Summary

ISAM Integration (ISAM pick up OTP, CIV Integration via RADIUS)

What is it? IBM Z MFA adds a new factor to allow easier integration with ISAM.  The user will initially authenticate to ISAM to get a One-Time Passcode (OTP). They then use that OTP when logging on to z/OS.

Client Value

  • Simplify Administration
  • Leverage existing investment
  • Integration between IBM solutions


Native Yubikey

New factor to support YubiKey devices with the Yubico OTP algorithm directly on z/OS.  This capability does not require an external authentication server because all OTP evaluation is performed on the z/OS system.

Client Value

  • Simplify Administration
  • No need for an external server


LDAP Simple Bind

New factor for authenticating to a variety of LDAP servers, including Microsoft Active Directory, using Simple Bind.

Client Value

  • New factor to leverage an Active Directory password
  • Use AD password with another token via out-of-band support


Policy First Update

Updated the Out-of-Band interface which requires the user to enter a policy before they enter any credentials such as a user ID.

Client Value

  • Eliminates the potential for User ID enumeration
  • Increased security


JWT Support

Support for RACF Identity Tokens – Support for SAF and RACF authentication processing to support generation and validation of Identity Tokens. These tokens are in the format of a JSON Web Token (JWT). This Identity Token support will allow z/OS applications and RACF to link together multiple authentication API calls.

Client Value

  • Provides a framework for better integration between applications and MFA


Out of Band - National Language Support & Customization

Updating the out-of-band server to support multiple languages.  In addition we will now allow some degree of customization to the text presented to the user.

Client Value

  • Allows the client to customize the OoB interface


Self-Service Password Change

New web interface that will allow users to change their RACF (or another ESM) password or password phrase via a web browser.

Client Value

  • Simplify Administration
  • Fewer calls to help desk


Additional Resources

IBM Announcement Letter (US version)

IBM Z MFA marketplace web pages with more resources (FAQ, blogs and articles, webinars, related product info, etc)