What does it mean to implement MFA and 2FA on the IBM i?
In response to recent cyberattacks, a May 2021 White House Executive Order “…mandates deployment of multifactor [sic] authentication and encryption within a certain time period.” Many regulatory standards—such as the Payment Card Industry (PCI) Data Security Standard (DSS), General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA)—also explicitly reference user authentication techniques found in multi-factor authentication (MFA) and two-factor authentication (2FA) systems. Depending on which regulatory entities cover your industry, you may soon need to implement an IBM i multi-factor authentication system.
While MFA and 2FA are critical requirements in many environments, what does it mean to implement them on the IBM i? Today’s post is a primer for understanding MFA and 2FA usage on IBM i servers. It discusses these key topics and their implementation on IBM i.
- How MFA works
- MFA versus SFA and 2FA
- Where is MFA implemented on an IBM i?
- Problems implementing MFA
What is MFA?
Multi-factor authentication (MFA) requires that users present two or more independent pieces of authentication evidence confirming their identity before they can access a computer resource, such as an IBM i server.
There are three factors for authentication evidence (Knowledge, Possession and Inherence) that users can present to gain access to an MFA-protected system (figure 1). The user must present at least two pieces of identifying evidence—credentials—from the following authentication evidence categories (factors), in order to use the system.
- Something you know (Knowledge factor): User password, answering security questions, personal identification numbers (PINs).
- Something you have (Possession factor): A physical security token, such as a USB card, a smart card, or a key fob. Sending verification codes to user cell phones or email addresses are often used to verify possession evidence for a user accessing the system.
- Something you are (Inherence factor): Biological traits that are scanned for verification, including voice, fingerprint, handprint, retinal and facial recognition.
A typical example of an MFA process is a standard Web site password reset (figure 2). A user forgets their password and clicks on the Forgot password link. The Web site asks for answers to the user’s security questions (knowledge factor: something they know). The user correctly answers the questions. The Web site texts or emails a One-Time Password (OTP) to the user’s cell phone or email account (possession factor: something they have). MFA identity requirements have been satisfied. The user signs on with the temporary password and the Web site prompts them to change their password.
MFA versus SFA and 2FA
MFA provides tighter security than just entering a single user/password combination for system access (single factor authentication, SFA). SFA is the easiest authentication method to crack. User passwords can be guessed, phished, intercepted, hacked, or discovered on a desktop. MFA makes user passwords much harder to break into. If you are securing your IBM i with just a user/password combination (SFA), chances are good it will be improperly accessed.
There is also two factor authentication (2FA). As shown in figure 3, 2FA is a subset of MFA that can satisfy MFA requirements. MFA requires identifying evidence from two or more credentials to verify a user’s identity; 2FA requires identifying evidence from exactly two credentials. This allows 2FA to satisfy MFA requirements (at least 2 out of 3 evidence factors presented) for most applications.
Where is MFA/2FA implemented on the IBM i?
MFA/2FA authentication techniques for the IBM i can be implemented for any area where an outside user or device requests access to IBM i resources or passwords. These include:
- Starting a user Web, 5250, or another type of interactive client session with an IBM i system
- Changing an IBM i password and re-enabling disabled user profiles after authentication
- Connected device sign-on using APIs, automated processes and other IoT devices
IBM does not offer any native IBM i capabilities for enabling MFA for user and device access. There are various third-party IBM i-based products that can help with providing 2FA and MFA services for each of these situations. For example, SEA offers iSecurity Password Reset that helps users automatically reset and re-enable their IBM i passwords without contacting Help Desk personnel.
In general, Knowledge and Possession MFA factor items (passwords, security questions, smart cards, cell phones) are more often used for IBM i access than Inherence factor items. However, some IBM i MFA systems and client apps are taking advantage of Inherence-based items such as facial recognition and fingerprint scanning that are more widely used on cell phones, tablets, laptops and desktop devices.
Problems Implementing MFA
MFA is a good but not perfect solution for securing IBM i access. When implementing an MFA system, there are several items to consider that can cause difficulties, including:
- Configuring MFA for user access: If using security and challenge questions to authenticate access, you will need to set up a transition plan to ensure all your users populate their MFA questions and answers.
- 2FA is hackable: There are several 2FA hacks including man-in-the-middle attacks, session hijacking, man-in-the-endpoint attacks and phishing attacks. When implementing 2FA, include your network team to plan for security issues and add authentication scam awareness to any phishing education provided to users and the Help Desk.
- User resistance: Some users may rebel depending on how you implement MFA. There may not be many objections to using MFA for resetting expired and disabled passwords. However, some users may object if they must answer security questions or obtain verification codes each time they sign on. There is a delicate balance between securing IBM i authentication and burdening your users with cumbersome password procedures.
- MFA/2FA is vulnerable to lost, broken or stolen devices: The Possession MFA factor is often dependent on IBM i users accessing the system with a specific device, such as a cell phone or a tablet. If that device is lost, broken, stolen or changes its phone number, its user’s access to the MFA system can be cut off. With MFA, your IT and Help Desk will handle fewer password reset calls, but they will have to deal with some MFA user system resets.
Regardless of these issues, MFA and 2FA are solid technologies for increasing security and meeting compliance obligations. More advanced MFA systems are being developed that will patch some of these holes and make sign-in security even stronger.