You are currently on IBM Systems Media’s archival website. Click here to view our new website.

MAINFRAME > Administrator > Security

IBM Multi-Factor Authentication for z/OS Helps Maintain a Secure Infrastructure

IBM Multi-Factor Authentication for z/OS

An explosion of malicious attacks of increasing sophistication on computer systems has occurred recently. According to the “IBM 2015 Cyber Security Intelligence Index” (, in 2014, unauthorized access topped the list of incident categories affecting the top five industries named in this report, comprising about 37 percent of total incidents. The increased use of low-cost and powerful password cracking systems has made attacks much easier, placing the burden on organizations to increase their levels of defense.

IBM Multi-Factor Authentication (MFA) for z/OS* provides a way to raise the assurance level of user authentication to z/OS applications and hosting environments by allowing the use of multiple authentication factors.

IBM MFA for z/OS is tightly integrated with z/OS Security Server (RACF*), which stores configuration and provisioning data, and provides an SMF audit trail to track authentication factors. IBM MFA can also help provide security administrators with the ability to enforce a granular authentication policy on a per-user basis.

Nearly 60 percent of security leaders interviewed in a 2014 IBM CISO assessment claim that the sophistication of attackers was outstripping the sophistication of their organizations’ defenses ( More than 80 percent of security leaders have seen external threat increases in the past three years, and it’s currently viewed as a top challenge (see Figure 1). In addition, regulations such as PCI DSS and government ID cards are driving the need for MFA as a requirement for compliance.

Mobile and cloud architectures make it imperative to reduce the risk of external threats, raising questions about the adequacy of password protection. Many passwords use common defaults that are easily guessed. Password vulnerabilities were named in several high profile hacks in recent years, and the 2014 Verizon Data Breach Investigation Report ( states that use of stolen credentials has become a top threat, where 95 percent of incidents involve harvesting credentials stolen from customer devices and logging into Web applications with them. More than 1 billion personal data records were reported stolen in 2014 alone, most of which contained user passwords (

IBM MFA for z/OS provides an additional tier of defense for authentication, reducing the likelihood that the perpetrator will have two or more factors lined up to gain access to critical systems.

Various Credentials Needed

MFA is a popular, agreed-upon method that uses a multitiered defense system to inhibit unauthenticated users from successfully accessing secured data or other assets. It combines several credentials, typically something the user knows and has, to provide additional tiers of defense (see “Multifactor Authentication Explained,”). With MFA, if one layer is compromised, other layers remain in place, presenting additional barriers to access. Multiple factors are possible; biometric data, such as fingerprint readers, can serve as another layer of defense. With the adoption of MFA, banks and financial institutions have increased confidence that only authorized users can access private, confidential data.

IBM’s Implementation

IBM MFA requires z/OS V2.1 or V2.2 and RSA Authentication Manager 8.1. IBM MFA for z/OS and RACF are designed to support both hardware- and software-based RSA SecurID tokens. By extending the RACF to enable multiple authentication factors, security administrators can enforce a granular multifactor authentication policy on a per-user-ID basis.

Barbara Sannerud is responsible for z Systems Enablement and has 25 years of industry experience in servers, software and services, with a focus on risk and security management.

John Petreshock, project management professional, is z Systems security offering manager with 19 years of experience covering development, test and product management focusing on z Systems security.



2019 Solutions Edition

A Comprehensive Online Buyer's Guide to Solutions, Services and Education.


Implementing Cryptographic Keys

Protect your Linux server from root password-guessing attacks.

Network Security

The zEnterprise System changes firewall requirements.

Data Lockdown

Use DB2 and z/OS to prevent security breaches.

IBM Systems Magazine Subscribe Box Read Now Link Subscribe Now Link iPad App Google Play Store
Mainframe News Sign Up Today! Past News Letters