Understanding Your 2FA Options for IBM i
November 15, 2017 Alex Woodie
It’s hard to have too much security on the Web these days, particularly with a preponderance of hackers, botnets, and keyloggers hanging around. One way to boost one’s cyber security is to use two-factor authentication, or 2FA, when connecting to sensitive applications and databases. Luckily, the technology is available for IBM i, too.
2FA is a technique that boosts the security of the log-on process and thwarts unauthorized access of sensitive systems. Instead of letting a person onto a computer based on the combination of just a user name and password, 2FA requires the person to have an extra identifier. This is commonly referred to as the “something you know and something you have” approach.
In the early days of 2FA as envisioned by security giant RSA, users had to carry around a hardware device called a SecurID that would generate an authentication code at 60-second intervals. If the user correctly entered that code into the console when prompted, the system would grant them access.
In today’s world, those hardware tokens have largely been replaced by smartphone-based text messaging and email. When a user initiates a log-on and identifies himself to a server, that server will send a call to a code-generation service to send a unique code to the phone number or email address associated with that user. The user then receives that text, enters the code, and is granted access to the system, thus proving that he knows something (the password) and he has something (the smartphone or access to the email account).
So, if you work at an IBM i shop, you should know that there are two main ways to add 2FA capabilities to your IBM i environment: write the software yourself, or buy a pre-packaged offering.
The good news for IBM i shops is there are several general-purpose 2FA packages available for IBM i: Alliance Two-Factor Authentication from Townsend Security, ARP-AUTH from Arpeggio Software, i2Pass from Kisco Information Systems, and the Safestone Agent for RSA’s SecurID from HelpSystems. HelpSystems also has the Access Authenticator product, which it unveiled in May.
Other IBM i vendors have added 2FA to their products, including Linoma Software, which added 2FA to its managed file transfer software, and mrc, which added 2FA to its Web-based development framework. But IBM i shops looking for a way to implement 2FA on a system-wide basis will need one of the general purpose products.
Townsend Taps Twilio
Townsend Security has emerged as a leader in the 2FA space with Alliance Two-Factor Authentication, which it launched back in 2014. At the time, the software utilized the text-based push notifications powered by TeleSign, a communications service provider based in Los Angeles that was recently acquired by a French firm.
Last week, the Olympia, Washington-based company announced that it has added support for sending text messages via Twilio‘s communication service. The upshot of this addition is that IBM i customers can now integrate SMS text authentication directly into their own applications.
“Need an out-of-band authentication for that multi-million dollar financial transaction?” the company says in its press release. “You can now do that directly from your business applications with the Send Text Message with Twilio (SNDTXTTWI) command and application program interfaces (APIs).”
Support for the new SMS texting app can also be used to notify employees of non-security related business events, such as a low-inventory situation or if a business process has been delayed. Townsend Security says that it also gives customers the capability to “embed links into the text messages to help users quickly solve problems and accomplish critical tasks.”
While getting a push notification in response to a business event is nice, enabling secure authentication to the IBM i server is the most important use for Alliance Two-Factor authentication due to the critical nature of the business applications running on the system and the attractiveness that poses to hackers, says Patrick Townsend, the company’s CEO.
“A single IBM i server is often host to a large number of sensitive applications,” he says. “It is common that IBM i customers run human resources, CRM, ERP, and other applications on a small number of IBM i servers that then become a target for cyber criminals. The use of two- factor authentication to protect highly privileged users is a security best practice.”
Townsend Security still supports the TeleSign interface. “But I thought that Twilio had a better implementation for secure connections to their service,” the CEO tells IT Jungle. “Also Twilio has a deeper field of API-driven communications applications that I think we will leverage in the future. Since we had to make some changes to support TLS 1.2 secure connections, Twilio made a lot of sense! And it is also very affordable for our smaller IBM i customers.”
2FA Adoption Lags
Despite the extra level of security that 2FA can offer to IBM i shops and the entire computing world, it’s still not widely used.
According to a recent study by 2FA provider Duo, only 28 percent of Americans use 2FA. More than 56 percent of the participants in the study had never heard of 2FA. “Most people don’t understand the importance of 2FA in helping prevent unauthorized access,” Duo concluded in the report (the opinion survey had a margin of error of about 4 percent).
Of those that had heard of 2FA, SMS/email was by far the most popular way to conduct 2FA, followed by an authenticator app that generates a one-time password (OTP), and getting a code via a phone call. The use of hardware tokens has dropped considerably over the years, Duo found.
However, not all 2FA mechanisms are equal, according to Duo, which cited recent findings that cast doubt on some 2FA methods. In particular, it cited a statement that NIST made in July about “the general insecurity of out-of-band authentication via SMS due to its susceptibility to interception or redirection,” and NIST’s Digital Identity Guidelines that “acknowledged that methods like voice-over-IP (VoIP) or email do not prove the possession of a specific device.”
It all comes down to hygiene. “Brushing your teeth with a conventional toothbrush is better than not brushing all; however, an electric toothbrush is better,” Duo says. “Similarly, using SMS is better than nothing, but it isn’t as good as an authenticator app, which isn’t as good as using a security key.”
Considering the drumbeats of regulation concerning 2FA, and the possibility that it will become a requirement in the future, it’s probably worth keeping an eye on the evolution of 2FA on IBM i.