08
Tue, Oct
2 New Articles

Two-Factor Authentication and the IBM i: A Beautiful Marriage

IBM i (OS/400, i5/OS)
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

What problem does Two-Factor Authentication (2FA) solve?

 

The data breach at Target started in a typical way. The attackers planted malware on a user's PC via a phishing attack, captured a password, and used that password as the entry point to work their way into the Target corporate network. In this case, the stolen user credential was at a service provider to Target, not one of Target's own users. But that's immaterial. The attack method was very typical: steal a user credential to log into a system, and enter into the critical systems from there. You don't have to actually start by stealing the credentials to the most sensitive system. You can start at the periphery and work your way in.

 

Stealing user credentials and passwords turns out to be pretty easy. We humans tend to use weak passwords, we use the same passwords on multiple systems, and we readily divulge our passwords when asked to by seemingly trusted insiders. We also are susceptible to clicking on email attachments and Internet links without too much thought, and this leads to the infection of our PCs with malware that silently steals our credentials and passwords.

 

Two-Factor Authentication (2FA) is the primary method of countering the attack on stolen credentials. In addition to entering a password (something we know), we must also present a second and different method of authenticating ourselves. We do this by providing something we have (perhaps a unique PIN code or token from a personal device) or something we are (such as a fingerprint or iris scan). By requiring two different factors of authentication, we make it much more difficult for an attacker to gain access to critical systems. An attacker can easily capture your user ID and password, but it's much harder to capture your cell phone or a PIN token that you keep on your key chain.

 

That's the beauty of 2FA! By requiring two different methods of authentication, it is much harder to impersonate a user.

 

A personal note: My first experience of malware was at Apple Computer in the early 1980s. I was working at one of Apple's new buildings in Cupertino, and we had all been given brand-new Mac Pluses. Wow, 512K of memory and a GUI interface! One day, I walked back from lunch at the Apple cafeteria, grabbed the mouse, and watched in horror as all of the icons melted and puddled at the bottom of the screen! This was a little joke played on us by the Apple techies, but it was a good first lesson. Never walk away from your computer without signing off!

 

How Is the IBM i Platform Affected?

The IBM i platform has a well-deserved reputation for security. The architects of the IBM i operating system built security in from the ground up, and we've all benefited from that effort. When implemented correctly, applications and data enjoy a high level of protection.

 

The modern IBM i user accesses the platform from a PC over a standard network connection, from a PC over a remote connection, or from a mobile device. Cyber criminals know that they don't have to break IBM i security; they only need to capture a user ID and password from a user PC! Once user credentials have been guessed or acquired from malware, the entry to the IBM i server has been accomplished!

 

Attackers don't have to compromise IBM i security; they only need to compromise a user's PC. That's a much easier task!

 

Where Does 2FA Fit in My Overall Security Strategy?

We have to do a lot of things to get security right. Firewalls, intrusion detection, antivirus, log collection, active monitoring, password management, and encryption of data in motion and at rest are just some of the core requirements. Two-Factor Authentication is rapidly becoming an essential part of a comprehensive security strategy. As Heather Adkins, Google's manager of information security famously said:

 

"Passwords are dead."

 

"Our relationship with passwords is done."

 

Those were pretty radical statements, but they reflect the reality of password management in the modern enterprise. There's no way to properly secure information systems with password protection alone.

 

Two-Factor Authentication is now in use by Google, Microsoft, Yahoo, and all major banks. There's no longer a credible security strategy that omits it.

 

What Are the Common Types of 2FA?

Two-Factor Authentication involves user authentication using any two of these three things:

  • Something you know (a password, etc.)
  • Something you have (a security token, a smart card, a cell phone, etc.)
  • Something you are (a fingerprint, an iris scan, a voiceprint, etc.)

 

Most implementations of 2FA involve commonly available technologies. Here are some examples:

  • A password and a fingerprint scan
  • A password and a unique public key infrastructure (PKI) certificate
  • A password and a PIN code from a token that you carry
  • A password and a cell phone to receive a PIN code via Short Message Service (SMS)

 

Here are some things that are not examples of 2FA:

 

  • Two passwords (this is two things you know—easy to capture)
  • A password and a secret question (two things you know—also easy to capture)

 

There's a lot of research now on new ways to authenticate you, including voice pattern recognition, eye movement pattern recognition, embedded RF emitters in your clothing, and many others. Lots of research going on in this area! But the examples above represent mainstream technologies that are trusted and ready to deploy.

 

Technology note: People often ask me if 2FA can be combined with Single Sign-On (SSO). The answer is an emphatic yes! You don't have to sacrifice the efficiency and security of SSO when you deploy a 2FA solution on your IBM i. Just remember that you should perform 2FA authentication after you sign on to the IBM i in order to provide the 2FA security on the IBM i platform that you need.

 

How Can 2FA Protect Access to My IBM i?

Two-Factor Authentication solutions are readily available for your IBM i platform. You can use legacy PIN code tokens that you carry with you, or you can find solutions that use out-of-band delivery of PIN codes directly to your cell phone or your desk phone.

 

Large enterprises and national security organizations are likely to deploy 2FA solutions that authenticate with something like a fingerprint or iris scan. But these technologies are not found as often in typical business environments.

 

How Can 2FA Protect My Applications?

We often think of Two-Factor Authentication as a way to secure the logon access to critical IT systems, but in fact it can easily be used to protect the business applications themselves. Imagine for a moment that you're a manager in a large global bank and your team regularly wires millions of dollars around the globe. Wouldn't you feel better knowing that the right person was doing those wires, not a cyber criminal? Two-Factor Authentication will really help you achieve that.

 

The right 2FA solution will give your iBM i developers an easy-to-use application program interface (API) that can be called to authenticate any critical application function. Here are some areas where 2FA might be of use:

 

  • Logon security (the most common use case)
  • Financial transaction security
  • Critical function security (IPL anyone?)
  • System configuration updates
  • Application configuration updates
  • Password management
  • And more. Let your imagination run wild!

 

What Should I Look for in a 2FA Solution?

We're fortunate to have choices in 2FA solutions for the IBM i platform. Here are some things to look for:

 

  • Ease of deployment: A good 2FA solution should be easily deployed without the need for expensive consultants. If it's difficult to deploy, it's likely going to be difficult to maintain and support.
  • Ease of administration: You want better security, not a lot more work! It should be easy, straightforward, and fast to enroll a new user. 2FA solutions that are hard to administer are solutions that aren't going to get full adoption. So make sure you can enroll a new user rapidly.
  • One-time passwords (OTPs): Sooner or later, you're going to leave your smartcard, token, or cell phone at home. You don't want to let that ruin your productivity for a day. Most 2FA solutions provide an option for one-time passwords. With OTPs, you can get past that forgetful moment and get on with your life!
  • Lockouts: What happens when an authentication fails is important. On the IBM i platform, we want to be able to revoke a user's authority to log in or optionally to disable their device. Remember that the cyber criminal most likely has your password, so they have the luxury of continually trying to guess the 2FA PIN code. You need to be able to set a maximum number of 2FA attempts and then lock the user out.
  • Application integration: Security user logins will probably be one of your priorities, but be sure that you have the ability to secure application functions, too. A good 2FA solution should give you examples of embedding 2FA into your RPG and CL applications. A good RPG- and CL-friendly API will be very helpful!
  • System logging and monitoring: A 2FA solutions should record both successful 2FA authentications and failed 2FA attempts. Of course, a sequence of failed 2FA attempts should immediately raise alarm bells. But for this to work correctly, the failed attempts should be recorded with entries to the IBM Security Audit journal QAUDJRN and should be integrated right into your log collection and SIEM monitoring system.

 

Staying Safe

I hope this introduction to Two-Factor Authentication on the IBM i has been helpful. Security is an ever-evolving practice, and there's a 2FA experience in your future!

 

Patrick Townsend

Patrick Townsend is president of Patrick Townsend Security Solutions. The company provides encryption and key management solutions for IBM System i, IBM System z, Windows, Linux, and UNIX platforms.

BLOG COMMENTS POWERED BY DISQUS

LATEST COMMENTS

Support MC Press Online

$

Book Reviews

Resource Center

  • SB Profound WC 5536 Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application. You can find Part 1 here. In Part 2 of our free Node.js Webinar Series, Brian May teaches you the different tooling options available for writing code, debugging, and using Git for version control. Brian will briefly discuss the different tools available, and demonstrate his preferred setup for Node development on IBM i or any platform. Attend this webinar to learn:

  • SB Profound WP 5539More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.

  • SB HelpSystems ROBOT Generic IBM announced the E1080 servers using the latest Power10 processor in September 2021. The most powerful processor from IBM to date, Power10 is designed to handle the demands of doing business in today’s high-tech atmosphere, including running cloud applications, supporting big data, and managing AI workloads. But what does Power10 mean for your data center? In this recorded webinar, IBMers Dan Sundt and Dylan Boday join IBM Power Champion Tom Huntington for a discussion on why Power10 technology is the right strategic investment if you run IBM i, AIX, or Linux. In this action-packed hour, Tom will share trends from the IBM i and AIX user communities while Dan and Dylan dive into the tech specs for key hardware, including:

  • Magic MarkTRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now!  Request Now.

  • SB HelpSystems ROBOT GenericForms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.

  • SB HelpSystems ROBOT GenericIT security is a top priority for businesses around the world, but most IBM i pros don’t know where to begin—and most cybersecurity experts don’t know IBM i. In this session, Robin Tatam explores the business impact of lax IBM i security, the top vulnerabilities putting IBM i at risk, and the steps you can take to protect your organization. If you’re looking to avoid unexpected downtime or corrupted data, you don’t want to miss this session.

  • SB HelpSystems ROBOT GenericCan you trust all of your users all of the time? A typical end user receives 16 malicious emails each month, but only 17 percent of these phishing campaigns are reported to IT. Once an attack is underway, most organizations won’t discover the breach until six months later. A staggering amount of damage can occur in that time. Despite these risks, 93 percent of organizations are leaving their IBM i systems vulnerable to cybercrime. In this on-demand webinar, IBM i security experts Robin Tatam and Sandi Moore will reveal:

  • FORTRA Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:

  • FORTRAManaging messages on your IBM i can be more than a full-time job if you have to do it manually. Messages need a response and resources must be monitored—often over multiple systems and across platforms. How can you be sure you won’t miss important system events? Automate your message center with the Robot Message Management Solution. Key features include:

  • FORTRAThe thought of printing, distributing, and storing iSeries reports manually may reduce you to tears. Paper and labor costs associated with report generation can spiral out of control. Mountains of paper threaten to swamp your files. Robot automates report bursting, distribution, bundling, and archiving, and offers secure, selective online report viewing. Manage your reports with the Robot Report Management Solution. Key features include:

  • FORTRAFor over 30 years, Robot has been a leader in systems management for IBM i. With batch job creation and scheduling at its core, the Robot Job Scheduling Solution reduces the opportunity for human error and helps you maintain service levels, automating even the biggest, most complex runbooks. Manage your job schedule with the Robot Job Scheduling Solution. Key features include:

  • LANSA Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.

  • LANSAWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed. Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

  • LANSASupply Chain is becoming increasingly complex and unpredictable. From raw materials for manufacturing to food supply chains, the journey from source to production to delivery to consumers is marred with inefficiencies, manual processes, shortages, recalls, counterfeits, and scandals. In this webinar, we discuss how:

  • The MC Resource Centers bring you the widest selection of white papers, trial software, and on-demand webcasts for you to choose from. >> Review the list of White Papers, Trial Software or On-Demand Webcast at the MC Press Resource Center. >> Add the items to yru Cart and complet he checkout process and submit

  • Profound Logic Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application.

  • SB Profound WC 5536Join us for this hour-long webcast that will explore:

  • Fortra IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn: