Just in time for the holidays, IBM Z Multi-Factor Authentication has GAed!! Before you take some much needed time off during this holiday season, check out some of the great features that we've added. Please reach out to me at zagorski@us.ibm.com if you have any questions.
SSO Pattern Support
Our customers have been asking for integration with enterprise SSO frameworks, and we've been listening. The new /jwt2ctc web service and associated AZFOIDC1 factor, and a new Node.js application that consumes the web service, will bridge between a customer's OpenID Connect IdP and their applications running on z/OS.
Easier and More Robust LDAP Factor Administration
Instead of configuring the full Distinguished Name (DN) to use when testing a user's LDAP password, IBM Z MFA 2.3 will allow the MFA administrator to provision the LDAP factor using information that's both closer at-hand and very unlikely to change. IBM Z MFA 2.3 can automatically detect a user's DN by searching the LDAP directory for some other identifier (like an e-mail address). If an employee changes roles in a way that alters their LDAP DN, that change can be handled automatically by IBM Z MFA 2.3 (both on z/OS and in the Linux version of Z MFA).
User-driven Password Fallback
This is an advanced system availability feature for IBM Z MFA 2.3 on z/OS. It provides an MFA-managed supplement to the existing Password Fallback function. User-driven Password Fallback can ensure system availability even if a piece of required MFA infrastructure is attacked or impacted in a way that IBM Z MFA cannot detect itself. It can also be used with any surrounding MFA configuration, even those that rely exclusively on out-of-band credential processing.
Watch for future blog posts that dig into the details of User-driven Password Fallback, and other new features in IBM Z MFA 2.3!