IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

Multi-Factor Authentication on IBM Z

By Jeroen Tiggelman posted Wed August 07, 2019 09:49 AM

  
On July 23, 2019 IBM z/OS V2.4 and IBM Security zSecure V2.4 were announced with a planned availability date of September 30, 2019. Among many other things the z/OS V2R4 announcement states: "RACF authentication processing is enhanced to support generation and validation of Identity Tokens. The Identity Token contains various claims that contain authentication state information and is in the format of a JSON Web Token (JWT). This Identity Token support allows z/OS applications and RACF to link together multiple authentication API calls and to replay proof of authentication. This capability is exploited by TSO/E to improve the user experience for certain IBM Z Multi-Factor Authentication logon flows."

This JWT support has also been made available for z/OS V2.2 and z/OS V2.3 via new-function maintenance around the time that IBM Z Multi-Factor Authentication V2.0 (IBM Z MFA) was released (May 2019).

I posted a summary article about the emergence of multi-factor authentication support on IBM Z over the last several years in the "Z Security" group of the IBM Security Community[1], also explaining how the various parts (z/OS, RACF, Z MFA, and zSecure) work together.

Furthermore, I would like to draw your attention to the article Michael Zagorski posted there last May about IBM Z MFA 2.0 highlighting new features such as the ability to use IBM Security Access Manager (ISAM)'s "pick-up One-Time Passcode (OTP) procedure" with IBM Z MFA's compound in-band authentication, where the ISAM-generated OTP can be used in conjunction with the user's RACF password or passphrase.

Enjoy.

--Jeroen


[1] Although IBM Security zSecure suite fits into the "Identity and Access Management" category, some of its components also fit with other security categories. A choice has been made that discussing security for the mainframe primarily in a dedicated "Z Security" group provides the best focus at this time. I intend to provide short notifications in the "IAM" group for notable new articles there going forward.


P.S. For those who don't know yet, zSecure integrates with many other IBM Security products including QRadar, Guardium, ISIGI, ISKLM, etc. as well as specific mainframe products such as RACF, ICSF, and Z MFA.
0 comments
19 views

Permalink

https://community.ibm.com/community/user/blogs/jeroen-tiggelman/2019/08/07/multi-factor-authentication-on-ibm-z