Hi Mustafa,
You asked:
> What is the best method to use it on which situation/service (banking / social account / work account)?
The short answer is "it depends," largely on which choices are most readily available (to the IT organization, or to the end user). IBM Z MFA supports some Factors that can be hosted directly on z/OS (Certificates, TOTP, or Yubico OTP) without the use of an external server, as well as several Factors that do require calls out to the network (LDAP, RADIUS, RSA SecurID e.g.).
There is currently no 'direct' support for PassKeys in IBM Z MFA, but it's possible to configure MFA to interact with an external auth service that does support PassKeys, most likely via RADIUS or OIDC.
In much the same way that "the best camera is the one you always have with you," the best MFA for many organizations is the method that is easiest to deploy and maintain, and which authenticating end-users will use correctly without repeated calls to the help desk.
And of course, we recommend that z/OS be configured for MFA ("defense in depth") vs. relying exclusively on MFA into the corporate network / onto the user's laptop/desktop endpoint.
-Jared
------------------------------
Jared Hunter
Strategic Architect, Security
Rocket Software, Inc.
------------------------------
Original Message:
Sent: Sun June 02, 2024 08:07 AM
From: MUSTAFA SALAH
Subject: Using Multi-Factor Authentication - SMS
MFA can add layer of security. However, It depends on other services that may also be vulnerable.
Should we rely on (Biometric)? with privacy concerns
Tokens?
Passkeys/smartcards/USB
What is the best method to use it on which situation/service (banking / social account / work account)?
------------------------------
MUSTAFA SALAH
------------------------------