Vendors Fill In The Gaps With IBM’s New MFA Solution

Alex Woodie

The new multi-factor authentication (MFA) capability that IBM has built into the IBM i operating system is a real gamechanger in terms of securing the system and preventing unauthorized access to applications and data. However, it lacks some key capabilities that some customers are looking for in an MFA solution, which third-party vendors are eager to fill.

The native MFA function that Big Blue delivered with IBM i 7.6 is being praised almost universally throughout the IBM i community as a massive security improvement. The MFA functionality, which uses randomly generated time-based one-time passwords (TOTP), is built directly into the operating system, is easy to use, is extensible, is expandable, and is configurable to meet the needs of customers.

It’s hard to find a downside to built-in MFA, which IBM’s biggest IBM i customers have been requesting for years. With that said, IBM’s new MFA function doesn’t check every box for every enterprise for MFA. That’s not a knock on the new product, as no single MFA solution can do everything for everybody.

For starters, the new MFA capability runs only on IBM i 7.6. IBM would surely love every IBM i shop to go out and upgrade to IBM i 7.6 right now, but that’s not likely to happen. Customers will be able to use the new built-in MFA capability to secure access to Power boxes running IBM i 7.6 but will need to look elsewhere to protect boxes running IBM i 7.5 and older releases.

What’s more, not every server runs on IBM i. Again, Rochester would love for that not to be the case, but the reality is that nearly every IBM i customers also runs some industry-standard gear (Windows and Linx) while the bigger shops have a mishmash that spans Unix and System Z, as well as older gear.

The new MFA offering requires security level 40 or higher and password level 4. That’s not going to be a problem for most IBM i shops, as the vast majority of IBM i shops are now running at security level 40, according to the recent Fortra State of IBM i Security survey, which we wrote about last week.

However, some IBM i shops, for whatever reason, cannot run at security level 40, which is the minimum security level recommended by IBM. That leaves room for vendors like Kisco Systems, which develops the i2Pass MFA software for IBM i.

“While I think every shop should already be in this state, the truth is most aren’t,” says Justin Loeber, the head of development at Kisco. “And upgrading password level can be a project. Ideally, customers should bite the bullet and do the work (we can help!) but if that’s too big of a lift, the new MFA exit point bypasses these requirements from IBM.”

Loeber also points to ease of use being a potential concern with the new IBM i MFA facility. Until IBM redesigns the user interfaces, users will be asked to type the TOTP that’s generated by their mobile device into the password field.

“Kisco’s MFA is a two-way ‘codeless’ integration which we think is much easier to use and will result in fewer support calls to the helpdesk team,” he tells IT Jungle.

Fortra takes a similar view that the native IBM i MFA offering is a step in the right direction and will bolster authentication. However, in some cases, the new solution doesn’t go far enough in delivering customers the MFA capabilities they need, company officials say.

“We see our solution as being complementary to what’s built into the operating system,” says Tom Huntington, Fortra’s vice president of technical services.

“As you know, IBM i customers don’t just have IBM i. They always have Windows servers alongside of it,” he says. “And so consequently, they also own enterprise multifactor solutions like a Duo or Okta or something like that. And so we can go above and beyond what the IBM i solution does by being able to integrate with those solutions using their Radius servers and tying our solution into it.”

Fortra is using the new MFA exit point that IBM exposed in 7.6 to hook its MFA solution, dubbed PowerTech MFA, into the IBM i operating system. That allows Fortra to access the MFA capabilities that IBM is now delivering in IBM i via its own software.

“One of the advantages that comes with PowerTech MFA is around that case when you have multiple systems in your environment,” says Fortra’s Brian Nordland, director of development for IBM Power development at Fortra. “Where you have a single centralized management instead of system by system by system having different MFA setups where you got a list of 20 of them to figure out which code to enter.”

Raz-Lee also sees room for its MFA offering, dubbed iSecurity MFA, in the new IBM i landscape that includes the native MFA facility.

“We extend our sincere thanks to IBM for making this important security feature a native part of the operating system,” Raz-Lee says on its website. “This initiative significantly enhances the platform’s security posture and contributes to a stronger security culture across the IBM i community.”

Raz-Lee says iSecurity MFA holds some advantages over the native facility. For instance, it uses the concept of a person rather than a user profile, which can simplify the log-in process for human users whose work spans multiple user profiles.

iSecurity MFA also allows customers to use multiple authentication mechanisms beyond the TOTP generated natively by the IBM i OS with the new IBM MFA facility. It allows customers to use Radius, Qauth2, and OpenID (PingID) to handle the end-point verification.

Fresche Solutions also has an MFA product for IBM i. According to Tony Perera, Fresche’s executive vice president of security technology, says that one of the biggest issues surrounding the native IBM i MFA facility is implementation.

“We’ve found that most vendor IBM i MFA solutions are cumbersome to implement,” Perera tells IT Jungle. “After reviewing IBM’s MFA solution, we found that some implementation hurdles remain. If a solution is challenging to implement or maintain, customer acceptance is reduced.”

Getting to password level 4 will be a big obstacle to adopting IBM’s MFA facility, since many IBM i customers aren’t yet at that password level, he says. By contrast, implementing the Fresche MFA solution is “quick and easy,” Perera says.

“We provide a TOTP implementation that is fully native, requiring no external servers or third-party software, making it robust, reliable, and easy to deploy,” he says, adding that Fresche’s MFA offering supports Radius servers, as well as Okta, CyberArk, and NetIQ Advanced Authenticator. What’s more, Fresche’s MFA offering supports IBM i version 7.1 and higher.

All in all, the vendors say that the new IBM i MFA offering is a positive step forward that will enhance security on the platform. Like most aspects of security, there is no single thing you can buy or build that can solve all security challenges in one fell swoop, which is why security experts often recommend adopting a layered approach to protection. It’s no different with MFA.

