August 14, 2024 | IBM i

Strengthening IBM i Password Security with MFA

image

Using passwords, passphrases, and PINs for system access poses a number of user security and usability issues, including: 

  • Weak or default passwords that are easy to guess 
  • Vulnerability to phishing methods that steal passwords 
  • Overly complex passwords that are difficult to remember  
  • User frustration in creating new passwords that meet password complexity requirements 
  • Frequent password changes for multiple servers 

These issues are the most severe when using passwords as the only user authentication method when logging on to a server using Single Factor Authentication (SFA). The good news is that security and usability issues subside when using Multi-Factor Authentication (MFA). Here’s how implementing MFA can simplify and strengthen IBM i server login security and usability.  

How MFA Works 

Multi-Factor Authentication (MFA) requires that users present two or more independent pieces of authentication credentials (factors) confirming their identity before they can access a computer resource, such as an IBM i server. See SEA’s Guide to IBM i Multi-Factor Authentication (MFA) for more information on implementing MFA on IBM i systems.  

Protection against stolen passwords (phishing) 

Bad actors can trick users into revealing their login credentials by using phishing techniques. System credentials can be obtained by social engineering, Man-in-the-Middle (MiTM) attacks, vishing, smishing, pharming and many other phishing schemes.

 

MFA protects against passwords stolen through phishing by requiring two forms of identification before allowing system access. With MFA protection, even if a hacker discovers a critical password, they won’t be able to sign on to the system without a second authentication factor. 

Protection Against Weak & Default Passwords 

IBM i systems come shipped with default passwords (where the password is equal to the user profile name) for IBM i supplied user profiles such as QSECOFR, QSYSOPR, QPGMR, and QUSER. Due to outdated onboarding techniques, there may also be several IBM i user profiles that are configured with default passwords.  

 

Further Reading: Five Steps to Eliminate Default IBM i User Passwords 

 

And even with constant reminders not to use weak passwords such as ‘Password’, ‘Qwerty’, or passwords that contain personal info, many users still use weak passwords that are easy to guess. When it comes time to change their password, these users often select a similar weak password that still meets requirements (such as using a value of ‘Password1’ or ‘Password2’ to replace ‘Password’).  

 

MFA mitigates the risk of using default and weak passwords. Because users must verify their identities in multiple ways, hackers still won’t be able to login to your IBM i systems unless they also steal a second authentication verification value.  

Password Simplification and Removing Password Expiration Intervals 

The US Federal zero trust architecture strategy (ZTA) specifies that “…Agencies must remove password policies that require special characters and regular password rotation from all systems…” within one year. This follows National Institute of Technology (NIST) Digital Identity Guidelines (NIST Special Publication 800-63B) for reducing vulnerabilities associated with using “…excessively long or complex memorialized secrets” (passwords, passphrases, and PINs).  

 

Further Reading: What is Federal Zero Trust Architecture (ZTA) & How Will It Affect My IBM i? 

 

Note that these ZTA requirements will conflict with existing regulatory, industry, and some governmental password composition requirements to contain any three out of four-character type passwords (IBM i *REQANY3 password rules) or using the Password Expiration Interval (QPWDEXPITV) and Password Re-use Cycle system values (QPWDRQDDIF). ZTA changes will require organizations to navigate between ZTA password simplification requirements and other governmental, regulatory, industry, and insurance password requirements.   

 

The trend is that passwords will become less complex over time with increased password lengths and MFA verification compensating for any weaknesses in password selection. Designated password rotation will also be less common. Eliminating password rotation changes will help alleviate user frustration when creating new passwords and the need to create different passwords across different IBM i servers.  

Password Elimination and Passwordless Authentication 

MFA can enable password elimination and passwordless access for IBM i and other systems. Phishing-resistant Multi-Factor Authentication (Phishing-resistant MFA) protects systems from attempts to compromise the MFA authentication process through phishing attacks.  

 

Further Reading: What is Phishing-Resistant Multi-Factor Authentication? 

 

Phishing-resistant MFA calls for the elimination of shared secrets, which includes user passwords, passphrases, PINs, API keys, and any other hints to stored credentials. The US government specifies using phishing-resistant authentication methods for Identity verification in this quote taken from the Federal Zero Trust Strategy. 

 

Agencies must require their users to use a phishing-resistant method to access agency hosted accounts. For routine self-service access by agency staff, contractors, and partners, agency systems must discontinue support for authentication methods that fail to resist phishing, including protocols that register phone numbers for SMS or voice calls, supply one-time codes, or receive push notifications.

 

Phishing-resistant MFA processes are immune to attackers intercepting or tricking users into revealing system login information because there are no shared secrets for a phisher to steal 

MFA Simplifies, Strengthens, and Protects IBM i Security 

Moving from Single Factor Authentication (SFA) to Multi-Factor Authentication (MFA) user verification techniques can fundamentally change the nature of IBM i password, passphrase, and other security credential management by: 

 

1. Mitigating the risks involved with using weak and default IBM i passwords.  

2. Safeguarding IBM i passwords and passphrases against bad actors who steal server credentials using phishing techniques.  

3. Simplifying the IBM i password creation process, reducing user frustration when attempting to create complex passwords for multiple i servers. 

4. Eliminating IBM i passwords and other shared secrets, enabling a password-free environment. 

 

IBM i Multi-Factor Authentication solutions such as iSecurity Multi Factor Authentication are inexpensive and easy to implement. They provide effective protection that enhances IBM i security and helps meet compliance needs.  

 

Learn more about IBM i MFA by downloading SEA’s Guide to IBM i Multi-Factor Authentication (MFA), our complete guide for deploying this critical security feature on all your IBM i systems. Or Contact SEA for more information about IBM i MFA.