Townsend Security Data Privacy Blog

Two Factor Authentication (2FA) on the IBM i

Posted by Luke Probasco on May 14, 2014 3:30:00 PM

Google is doing it.  Amazon is doing it, too.  Apple, Microsoft, Facebook, and Twitter have also been using it.  What is stopping you from deploying two factor authentication on your IBM i?

Two Factor Authentication IBM i White Paper How do you stop a hacker who has just accessed a username and password that allows them *ALLOBJ authority on your IBM i?  Despite your best efforts at locking down user accounts, including enforcing complex and unique passwords, your most restricted credentials are now in the hands of hackers.
 
For companies who have deployed a two factor authentication solution on their IBM i, the situation is less dire.
 
While the IBM i is generally considered a very secure platform, it is still susceptible to hackers.  Most users access the IBM i via a PC, which are constantly being targeted with Malware.  Malware on a PC can easily capture usernames and passwords, send that information to a hacker, and in turn, open your systems up to a data breach.  Other points of attack include:

  • Memory scraping
  • Stolen vendor credentials
  • Stolen user passwords from external web services

Fortunately, there is still a way to stop hackers who have your top credentials – with two factor authentication.  By requiring two of the following for their users, businesses can easily enhance their security in a cost-effective way:

  • Something you know, such as a password
  • Something you have, such as a phone or fob
  • Something you are, such as a fingerprint

In Verizon’s “2014 Data Breach Investigations Report”, the company found that of the 63,437 total security incidents that occurred in 2013, “stronger passwords would help reduce the number of incidents, but larger organizations should also consider multiple factors to authenticate third-party and internal users.”  The report continued, “Two-factor authentication will help contain the widespread and unchallenged re-use of user accounts.”

Choosing a Two Factor Authentication Solution
Historically, companies used physical tokens (something you have) to provide authentication on the IBM i beyond username and password.  Unfortunately, tokens increasingly do not make fiscal sense for enterprise IT departments who have to deploy, manage, and troubleshoot these tokens.  Further, tokens are not foolproof as the recent attack on RSA proved.

Innovative solutions, such as Alliance Two Factor Authentication, that leverage the phone as a reliable means of out-of-band authentication have emerged. For example, instead of tokens, businesses can simply send an SMS or voice message containing a one-time authentication code to the IBM i user’s phone. This means cyber criminals cannot log into the IBM i without physical control of the actual phone.

Mobile-based two factor authentication solutions have become the preferred choice for businesses who don’t want the added expense of security tokens and the overhead of deploying and maintaining an appliance.  By deploying a two factor authentication solution on the IBM i, businesses can protect their critical data and operations, as well as their reputation, by adding an additional, cost-effective layer of security.

For more information, download the white paper Two Factor Authentication on the IBM i – Security Beyond Usernames and Passwords to learn more about why the IBM i may not be as secure as you think, the need for authentication on the IBM i, and how to meet compliance requirements with two factor authentication.

White Paper Two Factor Authentication on the IBM i

Topics: two factor authentication, Alliance Two Factor Authentication