I’m proud to be part of the team that brings you a major release of our multi-factor authentication offering for the mainframe. Before we dig into the new features and enhancements let’s discuss a slight name change. The old name was IBM Multi-Factor Authentication for z/OS. The new name is IBM Z Multi-Factor Authentication, or IBM Z MFA for short.
Below is short description of “what’s new” in the release and I encourage you to explore further by checking out the other assets I’ve listed at the end of this blog. I just posted a new MFA topic on the Discussion forum and I hope you’ll contribute your 2 cents as well.
We’ll also be adding more MFA best practices, tips and tricks to the Z Security Community in the coming weeks, so stay tuned!
IBM Z MFA V2.0 Summary
ISAM Integration (ISAM pick up OTP, CIV Integration via RADIUS)
What is it? IBM Z MFA adds a new factor to allow easier integration with ISAM. The user will initially authenticate to ISAM to get a One-Time Passcode (OTP). They then use that OTP when logging on to z/OS.
Client Value
- Simplify Administration
- Leverage existing investment
- Integration between IBM solutions
Native Yubikey
What? New factor to support YubiKey devices with the Yubico OTP algorithm directly on z/OS. This capability does not require an external authentication server because all OTP evaluation is performed on the z/OS system.
Client Value
- Simplify Administration
- No need for an external server
LDAP Simple Bind
What? New factor for authenticating to a variety of LDAP servers, including Microsoft Active Directory, using Simple Bind.
Client Value
- New factor to leverage an Active Directory password
- Use AD password with another token via out-of-band support
Policy First Update
What? Updated the Out-of-Band interface which requires the user to enter a policy before they enter any credentials such as a user ID.
Client Value
- Eliminates the potential for User ID enumeration
- Increased security
JWT Support
What? Support for RACF Identity Tokens – Support for SAF and RACF authentication processing to support generation and validation of Identity Tokens. These tokens are in the format of a JSON Web Token (JWT). This Identity Token support will allow z/OS applications and RACF to link together multiple authentication API calls.
Client Value
- Provides a framework for better integration between applications and MFA
Out of Band - National Language Support & Customization
What? Updating the out-of-band server to support multiple languages. In addition we will now allow some degree of customization to the text presented to the user.
Client Value
- Allows the client to customize the OoB interface
Self-Service Password Change
What? New web interface that will allow users to change their RACF (or another ESM) password or password phrase via a web browser.
Client Value
- Simplify Administration
- Fewer calls to help desk
Additional Resources
IBM Announcement Letter (US version)
IBM Z MFA marketplace web pages with more resources (FAQ, blogs and articles, webinars, related product info, etc)
#zSecure