Two-Factor Authentication and the IBM i: A Beautiful Marriage

IBM i (OS/400, i5/OS)
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

What problem does Two-Factor Authentication (2FA) solve?


The data breach at Target started in a typical way. The attackers planted malware on a user's PC via a phishing attack, captured a password, and used that password as the entry point to work their way into the Target corporate network. In this case, the stolen user credential was at a service provider to Target, not one of Target's own users. But that's immaterial. The attack method was very typical: steal a user credential to log into a system, and enter into the critical systems from there. You don't have to actually start by stealing the credentials to the most sensitive system. You can start at the periphery and work your way in.


Stealing user credentials and passwords turns out to be pretty easy. We humans tend to use weak passwords, we use the same passwords on multiple systems, and we readily divulge our passwords when asked to by seemingly trusted insiders. We also are susceptible to clicking on email attachments and Internet links without too much thought, and this leads to the infection of our PCs with malware that silently steals our credentials and passwords.


Two-Factor Authentication (2FA) is the primary method of countering the attack on stolen credentials. In addition to entering a password (something we know), we must also present a second and different method of authenticating ourselves. We do this by providing something we have (perhaps a unique PIN code or token from a personal device) or something we are (such as a fingerprint or iris scan). By requiring two different factors of authentication, we make it much more difficult for an attacker to gain access to critical systems. An attacker can easily capture your user ID and password, but it's much harder to capture your cell phone or a PIN token that you keep on your key chain.


That's the beauty of 2FA! By requiring two different methods of authentication, it is much harder to impersonate a user.


A personal note: My first experience of malware was at Apple Computer in the early 1980s. I was working at one of Apple's new buildings in Cupertino, and we had all been given brand-new Mac Pluses. Wow, 512K of memory and a GUI interface! One day, I walked back from lunch at the Apple cafeteria, grabbed the mouse, and watched in horror as all of the icons melted and puddled at the bottom of the screen! This was a little joke played on us by the Apple techies, but it was a good first lesson. Never walk away from your computer without signing off!


How Is the IBM i Platform Affected?

The IBM i platform has a well-deserved reputation for security. The architects of the IBM i operating system built security in from the ground up, and we've all benefited from that effort. When implemented correctly, applications and data enjoy a high level of protection.


The modern IBM i user accesses the platform from a PC over a standard network connection, from a PC over a remote connection, or from a mobile device. Cyber criminals know that they don't have to break IBM i security; they only need to capture a user ID and password from a user PC! Once user credentials have been guessed or acquired from malware, the entry to the IBM i server has been accomplished!


Attackers don't have to compromise IBM i security; they only need to compromise a user's PC. That's a much easier task!


Where Does 2FA Fit in My Overall Security Strategy?

We have to do a lot of things to get security right. Firewalls, intrusion detection, antivirus, log collection, active monitoring, password management, and encryption of data in motion and at rest are just some of the core requirements. Two-Factor Authentication is rapidly becoming an essential part of a comprehensive security strategy. As Heather Adkins, Google's manager of information security famously said:


"Passwords are dead."


"Our relationship with passwords is done."


Those were pretty radical statements, but they reflect the reality of password management in the modern enterprise. There's no way to properly secure information systems with password protection alone.


Two-Factor Authentication is now in use by Google, Microsoft, Yahoo, and all major banks. There's no longer a credible security strategy that omits it.


What Are the Common Types of 2FA?

Two-Factor Authentication involves user authentication using any two of these three things:

  • Something you know (a password, etc.)
  • Something you have (a security token, a smart card, a cell phone, etc.)
  • Something you are (a fingerprint, an iris scan, a voiceprint, etc.)


Most implementations of 2FA involve commonly available technologies. Here are some examples:

  • A password and a fingerprint scan
  • A password and a unique public key infrastructure (PKI) certificate
  • A password and a PIN code from a token that you carry
  • A password and a cell phone to receive a PIN code via Short Message Service (SMS)


Here are some things that are not examples of 2FA:


  • Two passwords (this is two things you know—easy to capture)
  • A password and a secret question (two things you know—also easy to capture)


There's a lot of research now on new ways to authenticate you, including voice pattern recognition, eye movement pattern recognition, embedded RF emitters in your clothing, and many others. Lots of research going on in this area! But the examples above represent mainstream technologies that are trusted and ready to deploy.


Technology note: People often ask me if 2FA can be combined with Single Sign-On (SSO). The answer is an emphatic yes! You don't have to sacrifice the efficiency and security of SSO when you deploy a 2FA solution on your IBM i. Just remember that you should perform 2FA authentication after you sign on to the IBM i in order to provide the 2FA security on the IBM i platform that you need.


How Can 2FA Protect Access to My IBM i?

Two-Factor Authentication solutions are readily available for your IBM i platform. You can use legacy PIN code tokens that you carry with you, or you can find solutions that use out-of-band delivery of PIN codes directly to your cell phone or your desk phone.


Large enterprises and national security organizations are likely to deploy 2FA solutions that authenticate with something like a fingerprint or iris scan. But these technologies are not found as often in typical business environments.


How Can 2FA Protect My Applications?

We often think of Two-Factor Authentication as a way to secure the logon access to critical IT systems, but in fact it can easily be used to protect the business applications themselves. Imagine for a moment that you're a manager in a large global bank and your team regularly wires millions of dollars around the globe. Wouldn't you feel better knowing that the right person was doing those wires, not a cyber criminal? Two-Factor Authentication will really help you achieve that.


The right 2FA solution will give your iBM i developers an easy-to-use application program interface (API) that can be called to authenticate any critical application function. Here are some areas where 2FA might be of use:


  • Logon security (the most common use case)
  • Financial transaction security
  • Critical function security (IPL anyone?)
  • System configuration updates
  • Application configuration updates
  • Password management
  • And more. Let your imagination run wild!


What Should I Look for in a 2FA Solution?

We're fortunate to have choices in 2FA solutions for the IBM i platform. Here are some things to look for:


  • Ease of deployment: A good 2FA solution should be easily deployed without the need for expensive consultants. If it's difficult to deploy, it's likely going to be difficult to maintain and support.
  • Ease of administration: You want better security, not a lot more work! It should be easy, straightforward, and fast to enroll a new user. 2FA solutions that are hard to administer are solutions that aren't going to get full adoption. So make sure you can enroll a new user rapidly.
  • One-time passwords (OTPs): Sooner or later, you're going to leave your smartcard, token, or cell phone at home. You don't want to let that ruin your productivity for a day. Most 2FA solutions provide an option for one-time passwords. With OTPs, you can get past that forgetful moment and get on with your life!
  • Lockouts: What happens when an authentication fails is important. On the IBM i platform, we want to be able to revoke a user's authority to log in or optionally to disable their device. Remember that the cyber criminal most likely has your password, so they have the luxury of continually trying to guess the 2FA PIN code. You need to be able to set a maximum number of 2FA attempts and then lock the user out.
  • Application integration: Security user logins will probably be one of your priorities, but be sure that you have the ability to secure application functions, too. A good 2FA solution should give you examples of embedding 2FA into your RPG and CL applications. A good RPG- and CL-friendly API will be very helpful!
  • System logging and monitoring: A 2FA solutions should record both successful 2FA authentications and failed 2FA attempts. Of course, a sequence of failed 2FA attempts should immediately raise alarm bells. But for this to work correctly, the failed attempts should be recorded with entries to the IBM Security Audit journal QAUDJRN and should be integrated right into your log collection and SIEM monitoring system.


Staying Safe

I hope this introduction to Two-Factor Authentication on the IBM i has been helpful. Security is an ever-evolving practice, and there's a 2FA experience in your future!