IBM i (iSeries, AS/400) users can now meet PCI security recommendations for multi-factor authentication with a mobile-based solution.
Today Townsend Security announced a major enhancement to Alliance Two Factor Authentication for IBM i to fully support the new Payment Card Industry (PCI) recommendations for multi-factor authentication with Authy. Authy (A Twilio company) is one of the most popular mobile-based authentication solutions and is in wide use to protect web credentials.
Townsend Security's support for Authy means that IBM i (iSeries, AS/400) users can now deploy a popular and low-cost two factor authentication product without the expense of back-end hardware servers and hardware tokens. The Authy application installs on your mobile device or in your browser and provides Time-based One Time Passwords (PIN codes) on demand. Since Authy TOTP codes do not require a mobile network connection or an Internet connection, they are immune from gaps in connectivity to the network. Authentication on the IBM i platform simply requires opening the Authy application on your phone, viewing the one time code, and entering it on your IBM i signon screen. Alliance Two Factor Authentication then verifies the code with the Authy service and allows access to the IBM i platform.
Alliance Two Factor Authentication also now implements multi-factor authentication that is compliant with the new PCI guidance which requires that a user enter a user ID and password (something they know) at the same time that they enter their one time code generated by Authy on the mobile device (something you have). The Townsend Security solution implements a secondary user ID and password to use with Authy authentication to meet this level of compliance. A failed authentication on the IBM i server never discloses whether the user ID and password were invalid, or whether the one time code was invalid. This logic prevents the disclosure of important credential information that is common in Two Step Verification. An additional benefit to using the Authy application is that recovery from the loss of a mobile phone is simple and straightforward.
Because Authy uses a secure, time-based one time code and does not use SMS text delivery, it is secure and meets security best practices for authentication. Townsend Security's Alliance Two Factor Authentication solution continues to support SMS text delivery of one time codes, but the new Authy facility is the default for new installations.
"IBM i users need an affordable two factor authentication solution that removes the expense and headaches of hardware-based solutions. By using your mobile phone for the generation of one time codes, you never have to worry about administering a large number of hardware tokens," said Patrick Townsend, CEO of Townsend Security "The Authy service is secure, extremely affordable, easy to administer, and highly performant. IBM i customers can install Alliance Two Factor Authentication in a few minutes, provision an Authy account on their web site, and be using two factor authentication very quickly. It's a fast path to PCI compliance and better security."
You can find the PCI guidance document here.
Alliance Two Factor Authentication is licensed on a per logical partition (LPAR) basis, with perpetual and subscription licensing options available. Existing Alliance Two Factor Authentication customers on a current maintenance contract can upgrade to the new version at no charge.