HelpSystems Tackles IBM i Password Woes
May 15, 2017 Alex Woodie
Passwords, in many ways, are the bane of our digital existence. We can’t live with passwords, but we certainly can’t live without them either. HelpSystems is aware of the challenges posed by this necessary evil, and has plans to alleviate the password pain with a series of new products and enhancements to existing ones.
Last week at the COMMON Annual Meeting and Expo in Orlando, Florida, HelpSystems Vice President of Technical Services Tom Huntington previewed for IT Jungle a new product the company plans to ship by the end of June.
The new product is called Access Authenticator, and it’s designed to assist IBM i shops with implementing more advanced forms of authentication than the relatively simple combination of a user ID and password. Specifically, Access Authenticator helps IBM i shops adopt multi-factor authentication (MFA), which is also referred to as two-factor authentication (2FA).
The principles behind MFA and 2FA are the same: instead of just requiring a user ID and a password to authenticate people before granting them access to servers, they must first present something they know, like a user ID and password, in addition to something they have, such as a secret code, a trusted piece of hardware, or a biometric item (like a fingerprint or iris scan).
Access Authenticator provides several options for satisfying that second option, through an IBM i agent used for 5250 green screen sessions, and a Windows agent used for Windows desktops. Users can authenticate with the following methods:
- a YubiKey, a FICO-certified USB device
- secret code sent to smart phone via SMS text message
- secret code sent to smart phone via mobile app (Android or iOS)
- a one-time password sent via the mobile app
- fingerprint scanner on smart phone
- one-time authentication of laptop or PC
Access Authenticator integrates into the security workflow of the IBM i operating system. HelpSystems says the IBM i agent can be prompted to require a secondary authentication method when the user tries to sign onto the system. It can also be tied to exit programs, which would force users to re-authenticate themselves when they try to access services, such as sending a file via FTP or initiating a TN5250 session, the company says.
IBM i users interact with Access Authenticator through Insite, the new Web-based interface that HelpSystems is in the process of adopting for all of its products. Upon being enrolled by an administrator, a user is emailed a link to the Insite-based portal, where they complete the registration process and maintain their own authentication credentials.
The portal is also used to transfer a user’s Access Authenticator settings to their mobile device, which is done by generating a QR code that’s then read by the phone on the mobile device. Users can also use the portal to generate one-time passwords that they can print and use offline (a feature that can be turned off by the admin).
Access Authenticator gives administrators full control over user enrollment and the availability of authentication methods. It also provides a way to have one-time emergency passwords sent via email, and to remove inactive users from the system. The software integrates with Active Director via the LDAP protocol, and maintains its own database of available and enrolled users.
The product maintains a full audit trail of all activity and generates reports about authentication attempts, user maintenance activity (such as generation of one-time passwords), and disabled users. The software can send alerts to administrators when it detects hack attempts, and supports a high availability configuration.
Access Authenticator is not the first MFA or 2FA product available on the IBM i platform. It’s not even the first MFA or 2FA product in HelpSystems’ product catalog, as the company also offers a plug-in for RSA’s authentication product, called RSA SecurID for IBM i.
While RSA (owned by Dell EMC) is a trusted leader in authentication, the main drawback with its 2FA solution environments is that it requires customers to run additional RSA software on a separate server, Huntington says. With Access Authenticator, almost everything stays on the IBM i server, except the Active Directory database and the Windows agent.
HelpSystems is upping its MFA strategy just in time. By the end of this year or early 2018, MFA or 2FA is slated to become a requirement for passing PCI DSS audits. And while 2FA and MFA methods aren’t expressly named as requirements in the security sections of HIPAA and the EU’s General Data Protection Regulation (GDPR), many organizations, including HelpSystems, are recommending MFA as way to ensure compliance with these tough industry regulations.
In addition to Access Authenticator, HelpSystems is rolling out an update to Power Admin designed to enable users to synch passwords used for different IBM i LPARs.
Power Admin, which PowerTech introduced three years ago, is an administrative tool designed to simplify management of user profile when implementing role-based access control (RBAC) in an IBM i environment. Later this summer, HelpSystems plans to add password synchronization to this product, by way of integration with Active Directory, Huntington says.
Password synchronization, Huntington points out, is different than single sign-on (SSO) enabled by IBM i-supported technologies like Kerberos. With a password synch project, all the passwords that a worker uses to access various systems are synched up, or made identical, but the user must still sign in to each of the environments individually.
With Kerberos-based SSO, a user is authenticated once at the beginning of the session, and a user no longer must sign into each application or system individually, as long as system or app supports the Kerberos protocol and the “tickets” that are based around. However, not all IBM i applications work with Kerberos, Huntington explains, which makes this password synch method more attractive.
But wait, there’s even more! HelpSystems is also making progress in the password self-help arena. The company already offered a green screen product, developed by Safestone Technologies (acquired by HelpSystems in 2012), that allows users to reset their own passwords when they (invariably) forget or lose their old passwords.
In March, HelpSystems brought that Safestone capability to the new Insite interface via a series of widgets. So now, users can re-authenticate themselves to the system by correctly answering a series of challenge questions. The Safestone software did other things – such as removing default passwords, mandating complicated passwords, and requiring users to periodically choose new passwords – and it’s assumed these features now exist within Insite’s HTML5 interface, which can be accessed from PCs and mobile devices alike.
Annoying as they are, passwords are not going away anytime soon. Yes, it is a pain in the buttocks when you forget them – especially so when long and complicated passwords are mandated – but considering how successful hackers are at eavesdropping on users in our uber-connected world, it’s probably worth taking some time to ensure that you’re implementing password-based security correctly in your shop.