SlideShare a Scribd company logo

Combat Passwords on Post-Its with Multi-Factor Authentication for IBM i

Download as pptx, pdf
Precisely
Precisely

Stories of data breaches caused by stolen or guessed passwords have increased scrutiny around login practices. Requiring even more complex passwords is not recommended as users struggle to remember them – and write them down. Multi-factor authentication has become best practice for strengthening login security and is now required by regulations such as the latest PCI Data Security Standard, the New York Department of Financial Services’ Cybersecurity Regulation (23 NYCRR 500) and more. Watch this webinar to learn how multi-factor authentication can be implemented for IBM i users to strengthen security and meet compliance requirements. You’ll learn: • What true multi-factor authentication really is • Authentication options and tradeoffs • Tips on implementing multi-factor authentication for IBM i

1 of 42
Download to read offline
Multi-Factor Authentication for IBM i
Today’s Topics 1 – Password Management on IBM i 2 – Introducing Multi-Factor Authentication 3 – Setting up Multi-Factor Authentication on IBM i 4 – How Syncsort Can Help
Today’s Topics 1 – Password Management on IBM i 2 – Introducing Multi-Factor Authentication 3 – Setting up Multi-Factor Authentication on IBM i 4 – How Syncsort Can Help
Password Management Basics Basics Benefits System Value for security level QSECURITY (10,20 & more) Makes passwords required System Values for Signon attempts QMAXSGNACN & QMAXSIGN Protects from guessed password & brute force attacks System Value for Password Level QPWDLVL (0,1,2,3) Strengthens passwords Additional System Values for Password management QPWD* Strengthens passwords Single Sign On & EIM Simplifies password management SSL, TLS Encrypts passwords These measures provide basic password security. How do you take the next step in password security? Passwords alone are weak. The frequency of breaches due to stolen or guessed passwords and brute-force attacks requires an additional layer of user authentication security. 4
• Should we add more complexity to passwords? Not really. • Why not? Because we write them down! • Complex password increase costs and introduce weaknesses: • Management is complex • Management is expensive • Impacts productivity (re-enabling users, password changes, etc.) • Reliance on passwords alone puts all your eggs in the same basket! Complex Password Issues NIST’s latest Digital Identity Guidelines at https://pages.nist.gov/800-63-3/ recommend against complex passwords 5
Today’s Topics 1 – Password Management on IBM i 2 – Introducing Multi-Factor Authentication 3 – Setting up Multi-Factor Authentication on IBM i 4 – How Syncsort Can Help
Multi-Factor Authentication (MFA), sometimes called Two-Factor Authentication (2FA), uses two or more of the following factors : • Something you know or a “knowledge factor” • E.g. user ID, password, PIN, security question • Something you have or a “possession factor” • E.g. smartphone, smartcard, token device • Something you are or an “inherence factor” • E.g. fingerprint, iris scan, voice recognition Multi-Factor Authentication Adds a Layer of Login Security Typical authentication on IBM i uses 2 items of the same factor – User ID and password. This is not multi-factor authentication. 7
Authentication/ Verification UserID Password Passcode Logged in Single Step SUCCESS FAILURE Multi-Step Authentication • Two authentication steps are presented separately • If authentication fails, the user knows which step failed Multi-Step vs. One-Step Authentication 8 One-Step Authentication • Multiple authentication factors presented at the same time • All factors must be validated before granting access • If authentication fails, user doesn’t know which factor failed Authentication Verification User ID & Password Passcode Logged in Step 1 Step 2 SUCCESS SUCCESS FAILURE FAILURE Not understanding which authentication factor failed is frustrating for end users, but it is required by regulations such as PCI.
Examples of MFA 9 This is Not MFA Two things the user knows and no other factor is not MFA A combination of things the user knows, has or is provides MFA
Is geolocation a 4th factor for Multi-Factor Authentication? Location of the user can be used as a factor, or at least a criteria. Example: a user connected from inside the network is challenged normally while when connected from outside the network the rules can be more complex Geolocation can be used to restrict access, so it can be more related to access control versus MFA. A Fourth Factor? 10
• Regulations are evolving to require or recommend MFA. Consult the latest documentation for the regulations that impact your business! • MFA avoids the risks and costs of: • Weak passwords • Complex passwords • MFA is a good security measure when: • It is customizable and simple to administer • End users adoption is easy • MFA can support internal strategy and legal requirements • BYOD (Bring Your Own Device) vs COPE (Corporate Owned, Personally Enabled) Passwords alone are insufficient to protect your systems from attack. Multiple factors are better than one to improve security! Why Adopt Multi-Factor Authentication? 11 Verizon’s Annual Data Breach Report 2018: “Use two-factor authentication. Phishing campaigns are still hugely effective. And employees make mistakes. Two-factor authentication can limit the damage that can be done if credentials are lost or stolen.”
PCI-DSS version 3.2 • Requires companies to secure all administrative access to the CDE (Cardholder Data Environment) using MFA • Check document “Multi-Factor Authentication” – February 2017 –Requirement 8.3. New York Department of Financial Services Cybersecurity Regulation • 23 NYCRR 500 Section 500.12 (b) states, “Multi-Factor Authentication shall be utilized for any individual accessing the Covered Entity’s internal networks from an external network, unless the Covered Entity’s CISO has approved in writing the use of reasonably equivalent or more secure access controls.” FFIEC (Federal Financial Institutions Examination Council) • The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties. HIPAA • Doesn't explicitly mention MFA • Due to password expiration reinforcement and updates to NIST guidance (800-63), MFA becomes a very reasonable solution to meet HIPAA section 164.312d Regulatory Requirements for MFA 12
Authentication Services The Purpose of a Service Authentication services provide passcodes Passcode can be only token code that changes every minute or it can be combined with a PIN code A Passcode alternative could be a push notification, fingerprint, etc. RFC6238 Based on the Time-based One- Time Password algorithm (TOTP) Examples • Microsoft Authenticator • Google Authenticator • Authy • Yubico • And others 13 RADIUS authentication For organizations that use their own RADIUS server or a third-party solution compatible with RADIUS such as: • RSA SecurID® Access • Gemalto • DUO Authenticator • Microsoft Azure Authenticator • And others Something you know Something you have PIN Code Token Code PASSCODE Combination of something you know and something you have is OK for MFA
Authentication options are methods for transporting an authentication factor. They can include: • Email • Phone call • Mobile phones • Push-based authentication • QR code based authentication • One-time password authentication (event-based and time-based) • SMS-based verification (see box) • Hardware device such as fobs • USB-based physical tokens • USB tokens are not allowed in many organizations due to risk of loss, theft, virus, or malware • USB tokens are costly and heavy to manage for all users • Biometric device Factors must be independent – A factor cannot be used to access another factor, they should be physically independent Authentication Options 14 Use of SMS for Authentication – PCI DSS relies on industry standards, such as NIST, ISO, and ANSI, that cover all industries, not just the payment industry. While NIST currently permits the use of SMS authentication for MFA, they have advised that out-of-band authentication using SMS or voice should be “restricted” as it presents a security risk.
From our experience, typical MFA projects for IBM i involve: • Providing a stronger challenge for internal privileged users (RSA for example) • Challenging an external consultant for a valid ticket number before allowing them to sign on • A simple challenge by email to application users who are performing critical operations • Requesting an additional security question based on geolocation MFA is also very useful for self-service password reset Typical IBM i MFA Project 15
PCI and other standards including but not limited to NIST SP 800-63B require that all factors in multi-factor authentication be unified into a one-step process to prevent data leakage at any single-factor authentication step. It should be further noted that numerous components and services on the IBM i do not support the RFCs upon which the Google authenticator and others are built and cannot utilize Multi-Factor Authentication. Debate: Is MFA Really Applicable on IBM i? 16
Today’s Topics 1 – Password Management on IBM i 2 – Introducing Multi-Factor Authentication 3 – Setting up Multi-Factor Authentication on IBM i 4 – How Syncsort Can Help
Multi-Factor Authentication Process Flow User: ADMINGUY Password: xxxxxxxxxxx <ENTER>
Multi-Factor Authentication Process Flow User: ADMINGUY Password: xxxxxxxxxxx <ENTER> Initial Program for User ADMINGUY
Multi-Factor Authentication Process Flow User: ADMINGUY Password: xxxxxxxxxxx <ENTER> Initial Program for User ADMINGUY Additional Challenge for User ADMINGUY? Which Challenge?
Multi-Factor Authentication Process Flow User: ADMINGUY Password: xxxxxxxxxxx <ENTER> Initial Program for User ADMINGUY Additional Challenge for User ADMINGUY? Which Challenge? Information needed to evaluate the challenge: • Day and time • Device, Subsystem, IP address • Call stack • IBM i user attributes (group, special authorities, etc.) • MFA user attributes (user ID, email, phone number, etc.)
Multi-Factor Authentication Process Flow User: ADMINGUY Password: xxxxxxxxxxx <ENTER> Initial Program for User ADMINGUY Additional Challenge for User ADMINGUY? Which Challenge? Menu NO Information needed to evaluate the challenge: • Day and time • Device, Subsystem, IP address • Call stack • IBM i user attributes (group, special authorities, etc.) • MFA user attributes (user ID, email, phone number, etc.)
Multi-Factor Authentication Process Flow User: ADMINGUY Password: xxxxxxxxxxx <ENTER> Initial Program for User ADMINGUY Additional Challenge for User ADMINGUY? Which Challenge? Information needed to evaluate the challenge: • Day and time • Device, Subsystem, IP address • Call stack • IBM i user attributes (group, special authorities, etc.) • MFA user attributes (user ID, email, phone number, etc.) Passcode: NNNNNNNNN PROMPT Menu NO
Multi-Factor Authentication Process Flow User: ADMINGUY Password: xxxxxxxxxxx <ENTER> Initial Program for User ADMINGUY Additional Challenge for User ADMINGUY? Which Challenge? Information needed to evaluate the challenge: • Day and time • Device, Subsystem, IP address • Call stack • IBM i user attributes (group, special authorities, etc.) • MFA user attributes (user ID, email, phone number, etc.) PROMPT Format the request Send it to the authentication server CHECK Menu NO Passcode: NNNNNNNNN
Multi-Factor Authentication Process Flow User: ADMINGUY Password: xxxxxxxxxxx <ENTER> Initial Program for User ADMINGUY Additional Challenge for User ADMINGUY? Which Challenge? Information needed to evaluate the challenge: • Day and time • Device, Subsystem, IP address • Call stack • IBM i user attributes (group, special authorities, etc.) • MFA user attributes (user ID, email, phone number, etc.) PROMPT CHECK Menu NO Authentication Server User: ABCD1234 Passcode: NNNNNNNNN CONNECT Format the request Send it to the authentication server Passcode: NNNNNNNNN
Multi-Factor Authentication Process Flow User: ADMINGUY Password: xxxxxxxxxxx <ENTER> Initial Program for User ADMINGUY Additional Challenge for User ADMINGUY? Which Challenge? Information needed to evaluate the challenge: • Day and time • Device, Subsystem, IP address • Call stack • IBM i user attributes (group, special authorities, etc.) • MFA user attributes (user ID, email, phone number, etc.) PROMPT CHECK Authentication Server User: ABCD1234 Passcode: NNNNNNNNN CONNECT MAPPING TABLE User User IBM i Authentication ADMINGUY ABCD1234 ADMINJEFF EFGH5678 Menu NO Format the request Send it to the authentication server Passcode: NNNNNNNNN
Multi-Factor Authentication Process Flow User: ADMINGUY Password: xxxxxxxxxxx <ENTER> Initial Program for User ADMINGUY Additional Challenge for User ADMINGUY? Which Challenge? Information needed to evaluate the challenge: • Day and time • Device, Subsystem, IP address • Call stack • IBM i user attributes (group, special authorities, etc.) • MFA user attributes (user ID, email, phone number, etc.) PROMPT CHECK Authentication Server User: ABCD1234 Passcode: NNNNNNNNN CONNECT MAPPING TABLE User User IBM i Authentication ADMINGUY ABCD1234 ADMINJEFF EFGH5678 RECEIVE ANSWER Menu NO Format the request Send it to the authentication server Passcode: NNNNNNNNN
Multi-Factor Authentication Process Flow User: ADMINGUY Password: xxxxxxxxxxx <ENTER> Initial Program for User ADMINGUY Additional Challenge for User ADMINGUY? Which Challenge? Information needed to evaluate the challenge: • Day and time • Device, Subsystem, IP address • Call stack • IBM i user attributes (group, special authorities, etc.) • MFA user attributes (user ID, email, phone number, etc.) PROMPT CHECK Authentication Server User: ABCD1234 Passcode: NNNNNNNNN CONNECT MAPPING TABLE User User IBM i Authentication ADMINGUY ABCD1234 ADMINJEFF EFGH5678 RECEIVE ANSWER Menu NO Possible responses to the IBM i user: • Accepted • Rejected • New PIN code requested • New token code requested • And more Format the request Send it to the authentication server Passcode: NNNNNNNNN
Multi-Factor Authentication Process Flow User: ADMINGUY Password: xxxxxxxxxxx <ENTER> Initial Program for User ADMINGUY Additional Challenge for User ADMINGUY? Which Challenge? Information needed to evaluate the challenge: • Day and time • Device, Subsystem, IP address • Call stack • IBM i user attributes (group, special authorities, etc.) • MFA user attributes (user ID, email, phone number, etc.) PROMPT CHECK Authentication Server User: ABCD1234 Passcode: NNNNNNNNN CONNECT MAPPING TABLE User User IBM i Authentication ADMINGUY ABCD1234 ADMINJEFF EFGH5678 RECEIVE ANSWER For segregation reasons, the real response is only known by the authentication server. The real reason could be: • User not valid • User disabled • PIN code not valid • And more • Token code not valid • Token code already used • Configuration error Menu NO Possible responses to the IBM i user: • Accepted • Rejected • New PIN code requested • New token code requested • And more Format the request Send it to the authentication server Passcode: NNNNNNNNN
Multi-Factor Authentication Process Flow User: ADMINGUY Password: xxxxxxxxxxx <ENTER> Initial Program for User ADMINGUY Additional Challenge for User ADMINGUY? Which Challenge? Information needed to evaluate the challenge: • Day and time • Device, Subsystem, IP address • Call stack • IBM i user attributes (group, special authorities, etc.) • MFA user attributes (user ID, email, phone number, etc.) PROMPT CHECK Authentication Server User: ABCD1234 Passcode: NNNNNNNNN CONNECT MAPPING TABLE User User IBM i Authentication ADMINGUY ABCD1234 ADMINJEFF EFGH5678 RECEIVE ANSWER Log the Request Menu NO Possible responses to the IBM i user: • Accepted • Rejected • New PIN code requested • New token code requested • And more For segregation reasons, the real response is only known by the authentication server. The real reason could be: • User not valid • User disabled • PIN code not valid • And more • Token code not valid • Token code already used • Configuration error Format the request Send it to the authentication server Passcode: NNNNNNNNN
Multi-Factor Authentication Process Flow User: ADMINGUY Password: xxxxxxxxxxx <ENTER> Initial Program for User ADMINGUY Additional Challenge for User ADMINGUY? Which Challenge? Information needed to evaluate the challenge: • Day and time • Device, Subsystem, IP address • Call stack • IBM i user attributes (group, special authorities, etc.) • MFA user attributes (user ID, email, phone number, etc.) PROMPT CHECK Authentication Server User: ABCD1234 Passcode: NNNNNNNNN CONNECT MAPPING TABLE User User IBM i Authentication ADMINGUY ABCD1234 ADMINJEFF EFGH5678 RECEIVE ANSWER Possible responses to the IBM i user: • Accepted • Rejected • New PIN code requested • New token code requested • And more Log the Request REQUEST ANOTHER CHALLENGE Menu NO Format the request Send it to the authentication server Passcode: NNNNNNNNN For segregation reasons, the real response is only known by the authentication server. The real reason could be: • User not valid • User disabled • PIN code not valid • And more • Token code not valid • Token code already used • Configuration error
Multi-Factor Authentication Process Flow User: ADMINGUY Password: xxxxxxxxxxx <ENTER> Initial Program for User ADMINGUY Additional Challenge for User ADMINGUY? Which Challenge? Information needed to evaluate the challenge: • Day and time • Device, Subsystem, IP address • Call stack • IBM i user attributes (group, special authorities, etc.) • MFA user attributes (user ID, email, phone number, etc.) PROMPT CHECK Authentication Server User: ABCD1234 Passcode: NNNNNNNNN CONNECT MAPPING TABLE User User IBM i Authentication ADMINGUY ABCD1234 ADMINJEFF EFGH5678 RECEIVE ANSWER Possible responses to the IBM i user: • Accepted • Rejected • New PIN code requested • New token code requested • And more Log the Request REQUEST ANOTHER CHALLENGE Menu NO Format the request Send it to the authentication server Passcode: NNNNNNNNN Possible challenges: • Push notification • Fingerprint • Passcode • Security question • And more For segregation reasons, the real response is only known by the authentication server. The real reason could be: • User not valid • User disabled • PIN code not valid • And more • Token code not valid • Token code already used • Configuration error
Multi-Factor Authentication Process Flow User: ADMINGUY Password: xxxxxxxxxxx <ENTER> Initial Program for User ADMINGUY Additional Challenge for User ADMINGUY? Which Challenge? Information needed to evaluate the challenge: • Day and time • Device, Subsystem, IP address • Call stack • IBM i user attributes (group, special authorities, etc.) • MFA user attributes (user ID, email, phone number, etc.) PROMPT CHECK Authentication Server User: ABCD1234 Passcode: NNNNNNNNN CONNECT MAPPING TABLE User User IBM i Authentication ADMINGUY ABCD1234 ADMINJEFF EFGH5678 RECEIVE ANSWER Possible responses to the IBM i user: • Accepted • Rejected • New PIN code requested • New token code requested • And more Log the Request REQUEST ANOTHER CHALLENGE Menu NO REJECTED ACCEPTED Format the request Send it to the authentication server Passcode: NNNNNNNNN For segregation reasons, the real response is only known by the authentication server. The real reason could be: • User not valid • User disabled • PIN code not valid • And more • Token code not valid • Token code already used • Configuration error Possible challenges: • Push notification • Fingerprint • Passcode • Security question • And more
• Can be used to protect not only the signon screen, but also to protect application use • Users can be registered individually or globally (through group profiles, or any other user attribute) • Can identify different populations of users and challenge them using different methods • Use existing authenticators as much as possible • Options for one-step or two-step authentication Notes on IBM i Authentication Process 34
• It’s better to check more than just one authentication server, in case some are not reachable • What should be done if communication cannot be established with any of the authentication servers? • What should be done if the user provided is QSECOFR? • What should be done if the user is connected from the console? • What should be done if the user provided an incorrect IBM i password ? The initial program won’t be called… • What should be done with the QMAXSIGN & QMAXSGNACN system values? The end user should not know why his logon has failed. Text of these messages can be changed with a neutral message such as "Access denied". These messages are in the QCPFMSG message file. Tips and Questions to Consider 35
More MFA Implementation Tips • The coding must be very robust in order to not let users finding weaknesses. • The coding must not leave any trace of the process in the joblog or anywhere else. • Access to journal(s) should be protected, but this is true anyway for any security policies in place • Changes to the MFA configuration need to be strongly audited and access by administrators should be prevented (using exit points) 36
Additional Uses for Multi-Factor Authentication on IBM i Enables self-service profile re-enablement and self-service password changes Supports the Four Eyes Principle for supervised changes Protects access to certain commands like DFU, STRSQL, STRSST, etc… Real risk-based authentication policy (integrated with access control and elevated authority management capabilities) 37
Today’s Topics 1 – Password Management on IBM i 2 – Introducing Multi-Factor Authentication 3 – Setting up Multi-Factor Authentication on IBM i 4 – How Syncsort Can Help
• Powerful, flexible multi-factor authentication for IBM i • Options to initiate from the 5250 signon or on-demand • Options for one-step or two-step authentication • Support for multiple authentication methods • Enables self-service profile re-enablement and self-service password changes • Supports the Four Eyes Principle for supervised changes • RSA certified Assure Multi-Factor Authentication Username: Password: Token Code: Login Cancel 39 Strengthen security by requiring multiple forms of authentication prior to granting access to systems or applications
Assure Security Assure Data Privacy Assure Encryption Assure Secure File Transfer Assure Monitoring and Reporting Assure Db2 Data Monitor Assure Access Control Assure System Access Manager Assure Elevated Authority Manager Assure Multi-Factor Authentication Security Risk Assessment Assure Compliance Monitoring Assure Multi-Factor Authentication is one module of Assure Security, Syncsort’s best-in-class solution for IBM i compliance and security 40
Thank you! Learn more at www.syncsort.com/assure-security
Combat Passwords on Post-Its with Multi-Factor Authentication for IBM i
Ad

Recommended

Security 101: Multi-Factor Authentication for IBM i
Security 101: Multi-Factor Authentication for IBM iSecurity 101: Multi-Factor Authentication for IBM i
Security 101: Multi-Factor Authentication for IBM i
Precisely
 
Best Practices for Multi-Factor Authentication on IBM i
Best Practices for Multi-Factor Authentication on IBM iBest Practices for Multi-Factor Authentication on IBM i
Best Practices for Multi-Factor Authentication on IBM i
Precisely
 
Security 101: Multi-Factor Authentication for IBM i
Security 101: Multi-Factor Authentication for IBM iSecurity 101: Multi-Factor Authentication for IBM i
Security 101: Multi-Factor Authentication for IBM i
Precisely
 
test
testtest
test
pixeldemo
 
Protecting Your Business from Unauthorized IBM i Access
Protecting Your Business from Unauthorized IBM i AccessProtecting Your Business from Unauthorized IBM i Access
Protecting Your Business from Unauthorized IBM i Access
Precisely
 
User Authentication for Government
User Authentication for GovernmentUser Authentication for Government
User Authentication for Government
Carahsoft
 
STRONG AUTHENTICATION ... NO PASSWORDS
STRONG AUTHENTICATION ... NO PASSWORDSSTRONG AUTHENTICATION ... NO PASSWORDS
STRONG AUTHENTICATION ... NO PASSWORDS
RapidSSLOnline.com
 
Combat the Latest Two-Factor Authentication Evasion Techniques
Combat the Latest Two-Factor Authentication Evasion TechniquesCombat the Latest Two-Factor Authentication Evasion Techniques
Combat the Latest Two-Factor Authentication Evasion Techniques
IBM Security
 
Webinar - Easy multi factor authentication strategies and PCI DSS
Webinar - Easy multi factor authentication strategies and PCI DSSWebinar - Easy multi factor authentication strategies and PCI DSS
Webinar - Easy multi factor authentication strategies and PCI DSS
onionid12
 
Hitachi ID Suite 9.0 Features and Technology
Hitachi ID Suite 9.0 Features and TechnologyHitachi ID Suite 9.0 Features and Technology
Hitachi ID Suite 9.0 Features and Technology
Hitachi ID Systems, Inc.
 
Seminar-Two Factor Authentication
Seminar-Two Factor AuthenticationSeminar-Two Factor Authentication
Seminar-Two Factor Authentication
Dilip Kr. Jangir
 
Stronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise ApplicationsStronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise Applications
Ramesh Nagappan
 
Two factor authentication 2018
Two factor authentication 2018Two factor authentication 2018
Two factor authentication 2018
Will Adams
 
8 Holes in Windows Login Controls
8 Holes in Windows Login Controls8 Holes in Windows Login Controls
8 Holes in Windows Login Controls
IS Decisions
 
Hitachi ID Password Manager Security Analysis
Hitachi ID Password Manager Security AnalysisHitachi ID Password Manager Security Analysis
Hitachi ID Password Manager Security Analysis
Hitachi ID Systems, Inc.
 
Mobile Security for the Enterprise
Mobile Security for the EnterpriseMobile Security for the Enterprise
Mobile Security for the Enterprise
Will Adams
 
Hitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Password Manager
Hitachi ID Password Manager
Hitachi ID Systems, Inc.
 
Hitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Password Manager
Hitachi ID Password Manager
Hitachi ID Systems, Inc.
 
Two Factor Authentication
Two Factor AuthenticationTwo Factor Authentication
Two Factor Authentication
Nikhil Shaw
 
Two-factor Authentication
Two-factor AuthenticationTwo-factor Authentication
Two-factor Authentication
PortalGuard dba PistolStar, Inc.
 
2 factor authentication 3 [compatibility mode]
2 factor authentication 3 [compatibility mode]2 factor authentication 3 [compatibility mode]
2 factor authentication 3 [compatibility mode]
Hai Nguyen
 
5 reasons your iam solution will fail
5 reasons your iam solution will fail5 reasons your iam solution will fail
5 reasons your iam solution will fail
IBM Security
 
Privileged Access Manager Product Q&A
Privileged Access Manager Product Q&APrivileged Access Manager Product Q&A
Privileged Access Manager Product Q&A
Hitachi ID Systems, Inc.
 
Two factor authentication
Two factor authenticationTwo factor authentication
Two factor authentication
Hai Nguyen
 
Identity and Access Management (IAM)
Identity and Access Management (IAM)Identity and Access Management (IAM)
Identity and Access Management (IAM)
Jack Forbes
 
Hitachi ID Password Manager Brochure
Hitachi ID Password Manager BrochureHitachi ID Password Manager Brochure
Hitachi ID Password Manager Brochure
Hitachi ID Systems, Inc.
 
Two Factor Authentication: Easy Setup, Major Impact
Two Factor Authentication: Easy Setup, Major ImpactTwo Factor Authentication: Easy Setup, Major Impact
Two Factor Authentication: Easy Setup, Major Impact
Salesforce Admins
 
Best Practices for Multi-Factor Authentication on IBM i
Best Practices for Multi-Factor Authentication on IBM iBest Practices for Multi-Factor Authentication on IBM i
Best Practices for Multi-Factor Authentication on IBM i
Precisely
 
Effectively Defending Your IBM i from Malware with Multi-Factor Authentication
Effectively Defending Your IBM i from Malware with Multi-Factor Authentication Effectively Defending Your IBM i from Malware with Multi-Factor Authentication
Effectively Defending Your IBM i from Malware with Multi-Factor Authentication
Precisely
 
wbnthebestshieldagainstransomwareforibmie2206161-220616171022-6842abae.pptx
wbnthebestshieldagainstransomwareforibmie2206161-220616171022-6842abae.pptxwbnthebestshieldagainstransomwareforibmie2206161-220616171022-6842abae.pptx
wbnthebestshieldagainstransomwareforibmie2206161-220616171022-6842abae.pptx
Precisely
 
Ad

More Related Content

What's hot (19)

Webinar - Easy multi factor authentication strategies and PCI DSS
Webinar - Easy multi factor authentication strategies and PCI DSSWebinar - Easy multi factor authentication strategies and PCI DSS
Webinar - Easy multi factor authentication strategies and PCI DSS
onionid12
 
Hitachi ID Suite 9.0 Features and Technology
Hitachi ID Suite 9.0 Features and TechnologyHitachi ID Suite 9.0 Features and Technology
Hitachi ID Suite 9.0 Features and Technology
Hitachi ID Systems, Inc.
 
Seminar-Two Factor Authentication
Seminar-Two Factor AuthenticationSeminar-Two Factor Authentication
Seminar-Two Factor Authentication
Dilip Kr. Jangir
 
Stronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise ApplicationsStronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise Applications
Ramesh Nagappan
 
Two factor authentication 2018
Two factor authentication 2018Two factor authentication 2018
Two factor authentication 2018
Will Adams
 
8 Holes in Windows Login Controls
8 Holes in Windows Login Controls8 Holes in Windows Login Controls
8 Holes in Windows Login Controls
IS Decisions
 
Hitachi ID Password Manager Security Analysis
Hitachi ID Password Manager Security AnalysisHitachi ID Password Manager Security Analysis
Hitachi ID Password Manager Security Analysis
Hitachi ID Systems, Inc.
 
Mobile Security for the Enterprise
Mobile Security for the EnterpriseMobile Security for the Enterprise
Mobile Security for the Enterprise
Will Adams
 
Hitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Password Manager
Hitachi ID Password Manager
Hitachi ID Systems, Inc.
 
Hitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Password Manager
Hitachi ID Password Manager
Hitachi ID Systems, Inc.
 
Two Factor Authentication
Two Factor AuthenticationTwo Factor Authentication
Two Factor Authentication
Nikhil Shaw
 
Two-factor Authentication
Two-factor AuthenticationTwo-factor Authentication
Two-factor Authentication
PortalGuard dba PistolStar, Inc.
 
2 factor authentication 3 [compatibility mode]
2 factor authentication 3 [compatibility mode]2 factor authentication 3 [compatibility mode]
2 factor authentication 3 [compatibility mode]
Hai Nguyen
 
5 reasons your iam solution will fail
5 reasons your iam solution will fail5 reasons your iam solution will fail
5 reasons your iam solution will fail
IBM Security
 
Privileged Access Manager Product Q&A
Privileged Access Manager Product Q&APrivileged Access Manager Product Q&A
Privileged Access Manager Product Q&A
Hitachi ID Systems, Inc.
 
Two factor authentication
Two factor authenticationTwo factor authentication
Two factor authentication
Hai Nguyen
 
Identity and Access Management (IAM)
Identity and Access Management (IAM)Identity and Access Management (IAM)
Identity and Access Management (IAM)
Jack Forbes
 
Hitachi ID Password Manager Brochure
Hitachi ID Password Manager BrochureHitachi ID Password Manager Brochure
Hitachi ID Password Manager Brochure
Hitachi ID Systems, Inc.
 
Two Factor Authentication: Easy Setup, Major Impact
Two Factor Authentication: Easy Setup, Major ImpactTwo Factor Authentication: Easy Setup, Major Impact
Two Factor Authentication: Easy Setup, Major Impact
Salesforce Admins
 
Webinar - Easy multi factor authentication strategies and PCI DSS
Webinar - Easy multi factor authentication strategies and PCI DSSWebinar - Easy multi factor authentication strategies and PCI DSS
Webinar - Easy multi factor authentication strategies and PCI DSS
onionid12
 
Hitachi ID Suite 9.0 Features and Technology
Hitachi ID Suite 9.0 Features and TechnologyHitachi ID Suite 9.0 Features and Technology
Hitachi ID Suite 9.0 Features and Technology
Hitachi ID Systems, Inc.
 
Seminar-Two Factor Authentication
Seminar-Two Factor AuthenticationSeminar-Two Factor Authentication
Seminar-Two Factor Authentication
Dilip Kr. Jangir
 
Stronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise ApplicationsStronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise Applications
Ramesh Nagappan
 
Two factor authentication 2018
Two factor authentication 2018Two factor authentication 2018
Two factor authentication 2018
Will Adams
 
8 Holes in Windows Login Controls
8 Holes in Windows Login Controls8 Holes in Windows Login Controls
8 Holes in Windows Login Controls
IS Decisions
 
Hitachi ID Password Manager Security Analysis
Hitachi ID Password Manager Security AnalysisHitachi ID Password Manager Security Analysis
Hitachi ID Password Manager Security Analysis
Hitachi ID Systems, Inc.
 
Mobile Security for the Enterprise
Mobile Security for the EnterpriseMobile Security for the Enterprise
Mobile Security for the Enterprise
Will Adams
 
Hitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Password Manager
Hitachi ID Password Manager
Hitachi ID Systems, Inc.
 
Hitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Password Manager
Hitachi ID Password Manager
Hitachi ID Systems, Inc.
 
Two Factor Authentication
Two Factor AuthenticationTwo Factor Authentication
Two Factor Authentication
Nikhil Shaw
 
Two-factor Authentication
Two-factor AuthenticationTwo-factor Authentication
Two-factor Authentication
PortalGuard dba PistolStar, Inc.
 
2 factor authentication 3 [compatibility mode]
2 factor authentication 3 [compatibility mode]2 factor authentication 3 [compatibility mode]
2 factor authentication 3 [compatibility mode]
Hai Nguyen
 
5 reasons your iam solution will fail
5 reasons your iam solution will fail5 reasons your iam solution will fail
5 reasons your iam solution will fail
IBM Security
 
Privileged Access Manager Product Q&A
Privileged Access Manager Product Q&APrivileged Access Manager Product Q&A
Privileged Access Manager Product Q&A
Hitachi ID Systems, Inc.
 
Two factor authentication
Two factor authenticationTwo factor authentication
Two factor authentication
Hai Nguyen
 
Identity and Access Management (IAM)
Identity and Access Management (IAM)Identity and Access Management (IAM)
Identity and Access Management (IAM)
Jack Forbes
 
Hitachi ID Password Manager Brochure
Hitachi ID Password Manager BrochureHitachi ID Password Manager Brochure
Hitachi ID Password Manager Brochure
Hitachi ID Systems, Inc.
 
Two Factor Authentication: Easy Setup, Major Impact
Two Factor Authentication: Easy Setup, Major ImpactTwo Factor Authentication: Easy Setup, Major Impact
Two Factor Authentication: Easy Setup, Major Impact
Salesforce Admins
 

Similar to Combat Passwords on Post-Its with Multi-Factor Authentication for IBM i (20)

Best Practices for Multi-Factor Authentication on IBM i
Best Practices for Multi-Factor Authentication on IBM iBest Practices for Multi-Factor Authentication on IBM i
Best Practices for Multi-Factor Authentication on IBM i
Precisely
 
Effectively Defending Your IBM i from Malware with Multi-Factor Authentication
Effectively Defending Your IBM i from Malware with Multi-Factor Authentication Effectively Defending Your IBM i from Malware with Multi-Factor Authentication
Effectively Defending Your IBM i from Malware with Multi-Factor Authentication
Precisely
 
wbnthebestshieldagainstransomwareforibmie2206161-220616171022-6842abae.pptx
wbnthebestshieldagainstransomwareforibmie2206161-220616171022-6842abae.pptxwbnthebestshieldagainstransomwareforibmie2206161-220616171022-6842abae.pptx
wbnthebestshieldagainstransomwareforibmie2206161-220616171022-6842abae.pptx
Precisely
 
The Best Shield Against Ransomware for IBM i
The Best Shield Against Ransomware for IBM iThe Best Shield Against Ransomware for IBM i
The Best Shield Against Ransomware for IBM i
Precisely
 
Lock it Down: Access Control for IBM i
Lock it Down: Access Control for IBM iLock it Down: Access Control for IBM i
Lock it Down: Access Control for IBM i
Precisely
 
Webinar: Beyond Two-Factor: Secure Access Control for Office 365
Webinar: Beyond Two-Factor: Secure Access Control for Office 365 Webinar: Beyond Two-Factor: Secure Access Control for Office 365
Webinar: Beyond Two-Factor: Secure Access Control for Office 365
SecureAuth
 
ffv
ffvffv
ffv
pixeldemo
 
status
statusstatus
status
pixeldemo
 
status
statusstatus
status
pixeldemo
 
Q4_Fortify your IBM Power Systems with Strong Access Control_E_FINAL.pptx
Q4_Fortify your IBM Power Systems with Strong Access Control_E_FINAL.pptxQ4_Fortify your IBM Power Systems with Strong Access Control_E_FINAL.pptx
Q4_Fortify your IBM Power Systems with Strong Access Control_E_FINAL.pptx
Precisely
 
E-Lock AdaptAuth.pptx
E-Lock AdaptAuth.pptxE-Lock AdaptAuth.pptx
E-Lock AdaptAuth.pptx
Archana833240
 
IRJET- Data Security with Multifactor Authentication
IRJET- Data Security with Multifactor AuthenticationIRJET- Data Security with Multifactor Authentication
IRJET- Data Security with Multifactor Authentication
IRJET Journal
 
Nt2580 Final Project Essay Examples
Nt2580 Final Project Essay ExamplesNt2580 Final Project Essay Examples
Nt2580 Final Project Essay Examples
Sherry Bailey
 
The Importance of Multi-Factor Authentication (MFA)
The Importance of Multi-Factor Authentication (MFA)The Importance of Multi-Factor Authentication (MFA)
The Importance of Multi-Factor Authentication (MFA)
kandrasupriya99
 
Securing Your Remote Access Desktop Connection
Securing Your Remote Access Desktop ConnectionSecuring Your Remote Access Desktop Connection
Securing Your Remote Access Desktop Connection
SecurityMetrics
 
Why upgrade your MFA to Adaptive Authentication?
Why upgrade your MFA to Adaptive Authentication?Why upgrade your MFA to Adaptive Authentication?
Why upgrade your MFA to Adaptive Authentication?
WSO2
 
PCI Compliance White Paper
PCI Compliance White PaperPCI Compliance White Paper
PCI Compliance White Paper
Raz-Lee Security
 
Strong authentication implementation guide
Strong authentication implementation guideStrong authentication implementation guide
Strong authentication implementation guide
Nis
 
Multi Factor Authentication
Multi Factor AuthenticationMulti Factor Authentication
Multi Factor Authentication
Ping Identity
 
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Core Security
 
Best Practices for Multi-Factor Authentication on IBM i
Best Practices for Multi-Factor Authentication on IBM iBest Practices for Multi-Factor Authentication on IBM i
Best Practices for Multi-Factor Authentication on IBM i
Precisely
 
Effectively Defending Your IBM i from Malware with Multi-Factor Authentication
Effectively Defending Your IBM i from Malware with Multi-Factor Authentication Effectively Defending Your IBM i from Malware with Multi-Factor Authentication
Effectively Defending Your IBM i from Malware with Multi-Factor Authentication
Precisely
 
wbnthebestshieldagainstransomwareforibmie2206161-220616171022-6842abae.pptx
wbnthebestshieldagainstransomwareforibmie2206161-220616171022-6842abae.pptxwbnthebestshieldagainstransomwareforibmie2206161-220616171022-6842abae.pptx
wbnthebestshieldagainstransomwareforibmie2206161-220616171022-6842abae.pptx
Precisely
 
The Best Shield Against Ransomware for IBM i
The Best Shield Against Ransomware for IBM iThe Best Shield Against Ransomware for IBM i
The Best Shield Against Ransomware for IBM i
Precisely
 
Lock it Down: Access Control for IBM i
Lock it Down: Access Control for IBM iLock it Down: Access Control for IBM i
Lock it Down: Access Control for IBM i
Precisely
 
Webinar: Beyond Two-Factor: Secure Access Control for Office 365
Webinar: Beyond Two-Factor: Secure Access Control for Office 365 Webinar: Beyond Two-Factor: Secure Access Control for Office 365
Webinar: Beyond Two-Factor: Secure Access Control for Office 365
SecureAuth
 
ffv
ffvffv
ffv
pixeldemo
 
status
statusstatus
status
pixeldemo
 
status
statusstatus
status
pixeldemo
 
Q4_Fortify your IBM Power Systems with Strong Access Control_E_FINAL.pptx
Q4_Fortify your IBM Power Systems with Strong Access Control_E_FINAL.pptxQ4_Fortify your IBM Power Systems with Strong Access Control_E_FINAL.pptx
Q4_Fortify your IBM Power Systems with Strong Access Control_E_FINAL.pptx
Precisely
 
E-Lock AdaptAuth.pptx
E-Lock AdaptAuth.pptxE-Lock AdaptAuth.pptx
E-Lock AdaptAuth.pptx
Archana833240
 
IRJET- Data Security with Multifactor Authentication
IRJET- Data Security with Multifactor AuthenticationIRJET- Data Security with Multifactor Authentication
IRJET- Data Security with Multifactor Authentication
IRJET Journal
 
Nt2580 Final Project Essay Examples
Nt2580 Final Project Essay ExamplesNt2580 Final Project Essay Examples
Nt2580 Final Project Essay Examples
Sherry Bailey
 
The Importance of Multi-Factor Authentication (MFA)
The Importance of Multi-Factor Authentication (MFA)The Importance of Multi-Factor Authentication (MFA)
The Importance of Multi-Factor Authentication (MFA)
kandrasupriya99
 
Securing Your Remote Access Desktop Connection
Securing Your Remote Access Desktop ConnectionSecuring Your Remote Access Desktop Connection
Securing Your Remote Access Desktop Connection
SecurityMetrics
 
Why upgrade your MFA to Adaptive Authentication?
Why upgrade your MFA to Adaptive Authentication?Why upgrade your MFA to Adaptive Authentication?
Why upgrade your MFA to Adaptive Authentication?
WSO2
 
PCI Compliance White Paper
PCI Compliance White PaperPCI Compliance White Paper
PCI Compliance White Paper
Raz-Lee Security
 
Strong authentication implementation guide
Strong authentication implementation guideStrong authentication implementation guide
Strong authentication implementation guide
Nis
 
Multi Factor Authentication
Multi Factor AuthenticationMulti Factor Authentication
Multi Factor Authentication
Ping Identity
 
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Core Security
 
Ad

More from Precisely (20)

Outdated Tech, Invisible Expenses – How Data Silos Undermine Operational Effi...
Outdated Tech, Invisible Expenses – How Data Silos Undermine Operational Effi...Outdated Tech, Invisible Expenses – How Data Silos Undermine Operational Effi...
Outdated Tech, Invisible Expenses – How Data Silos Undermine Operational Effi...
Precisely
 
Modernización de SAP: Maximizando el Valor de su Migración a SAP S/4HANA.pdf
Modernización de SAP: Maximizando el Valor de su Migración a SAP S/4HANA.pdfModernización de SAP: Maximizando el Valor de su Migración a SAP S/4HANA.pdf
Modernización de SAP: Maximizando el Valor de su Migración a SAP S/4HANA.pdf
Precisely
 
Outdated Tech, Invisible Expenses – The Hidden Cost of Disconnected Data Syst...
Outdated Tech, Invisible Expenses – The Hidden Cost of Disconnected Data Syst...Outdated Tech, Invisible Expenses – The Hidden Cost of Disconnected Data Syst...
Outdated Tech, Invisible Expenses – The Hidden Cost of Disconnected Data Syst...
Precisely
 
Migration vers SAP S/4HANA: Un levier stratégique pour votre transformation d...
Migration vers SAP S/4HANA: Un levier stratégique pour votre transformation d...Migration vers SAP S/4HANA: Un levier stratégique pour votre transformation d...
Migration vers SAP S/4HANA: Un levier stratégique pour votre transformation d...
Precisely
 
Outdated Tech, Invisible Expenses: The Hidden Cost of Poor Data Integration o...
Outdated Tech, Invisible Expenses: The Hidden Cost of Poor Data Integration o...Outdated Tech, Invisible Expenses: The Hidden Cost of Poor Data Integration o...
Outdated Tech, Invisible Expenses: The Hidden Cost of Poor Data Integration o...
Precisely
 
The Changing Compliance Landscape in 2025.pdf
The Changing Compliance Landscape in 2025.pdfThe Changing Compliance Landscape in 2025.pdf
The Changing Compliance Landscape in 2025.pdf
Precisely
 
AI You Can Trust: The Critical Role of Governance and Quality.pdf
AI You Can Trust: The Critical Role of Governance and Quality.pdfAI You Can Trust: The Critical Role of Governance and Quality.pdf
AI You Can Trust: The Critical Role of Governance and Quality.pdf
Precisely
 
Automate Studio Training: Building Scripts for SAP Fiori and GUI for HTML.pdf
Automate Studio Training: Building Scripts for SAP Fiori and GUI for HTML.pdfAutomate Studio Training: Building Scripts for SAP Fiori and GUI for HTML.pdf
Automate Studio Training: Building Scripts for SAP Fiori and GUI for HTML.pdf
Precisely
 
Unlocking the Power of Trusted Data for AI, Analytics, and Business Growth.pdf
Unlocking the Power of Trusted Data for AI, Analytics, and Business Growth.pdfUnlocking the Power of Trusted Data for AI, Analytics, and Business Growth.pdf
Unlocking the Power of Trusted Data for AI, Analytics, and Business Growth.pdf
Precisely
 
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdfSAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
Precisely
 
End-to-end process automation: Simplifying SAP master data with low-code/no-c...
End-to-end process automation: Simplifying SAP master data with low-code/no-c...End-to-end process automation: Simplifying SAP master data with low-code/no-c...
End-to-end process automation: Simplifying SAP master data with low-code/no-c...
Precisely
 
Optimizing Your IBM i Availability: Storage vs. Software Replication.pdf
Optimizing Your IBM i Availability: Storage vs. Software Replication.pdfOptimizing Your IBM i Availability: Storage vs. Software Replication.pdf
Optimizing Your IBM i Availability: Storage vs. Software Replication.pdf
Precisely
 
AI You Can Trust - The Role of Data Integrity in AI-Readiness.pdf
AI You Can Trust - The Role of Data Integrity in AI-Readiness.pdfAI You Can Trust - The Role of Data Integrity in AI-Readiness.pdf
AI You Can Trust - The Role of Data Integrity in AI-Readiness.pdf
Precisely
 
Top Tips to Get Your Data AI-Ready‎ ‎ ‎‎ ‎
Top Tips to Get Your Data AI-Ready‎ ‎ ‎‎ ‎Top Tips to Get Your Data AI-Ready‎ ‎ ‎‎ ‎
Top Tips to Get Your Data AI-Ready‎ ‎ ‎‎ ‎
Precisely
 
Transform your IBM i and IBM Z data for proactive IT Operations.pdf
Transform your IBM i and IBM Z data for proactive IT Operations.pdfTransform your IBM i and IBM Z data for proactive IT Operations.pdf
Transform your IBM i and IBM Z data for proactive IT Operations.pdf
Precisely
 
Precisely Demo Showcase - The Future of Location Data Management and Analytic...
Precisely Demo Showcase - The Future of Location Data Management and Analytic...Precisely Demo Showcase - The Future of Location Data Management and Analytic...
Precisely Demo Showcase - The Future of Location Data Management and Analytic...
Precisely
 
Precisely Automate Evolve vs SAP MDG : L'Automatisation SAP, quel que soit l...
Precisely Automate Evolve vs SAP MDG : L'Automatisation SAP, quel que soit l...Precisely Automate Evolve vs SAP MDG : L'Automatisation SAP, quel que soit l...
Precisely Automate Evolve vs SAP MDG : L'Automatisation SAP, quel que soit l...
Precisely
 
Taking Your Legacy Data Beyond Modernization with AWS.pdf
Taking Your Legacy Data Beyond Modernization with AWS.pdfTaking Your Legacy Data Beyond Modernization with AWS.pdf
Taking Your Legacy Data Beyond Modernization with AWS.pdf
Precisely
 
Precisely Showcase - Data Governance, Quality & MDM.pdf
Precisely Showcase - Data Governance, Quality & MDM.pdfPrecisely Showcase - Data Governance, Quality & MDM.pdf
Precisely Showcase - Data Governance, Quality & MDM.pdf
Precisely
 
Stronger Together: Combining Data Quality and Governance for Confident AI & A...
Stronger Together: Combining Data Quality and Governance for Confident AI & A...Stronger Together: Combining Data Quality and Governance for Confident AI & A...
Stronger Together: Combining Data Quality and Governance for Confident AI & A...
Precisely
 
Outdated Tech, Invisible Expenses – How Data Silos Undermine Operational Effi...
Outdated Tech, Invisible Expenses – How Data Silos Undermine Operational Effi...Outdated Tech, Invisible Expenses – How Data Silos Undermine Operational Effi...
Outdated Tech, Invisible Expenses – How Data Silos Undermine Operational Effi...
Precisely
 
Modernización de SAP: Maximizando el Valor de su Migración a SAP S/4HANA.pdf
Modernización de SAP: Maximizando el Valor de su Migración a SAP S/4HANA.pdfModernización de SAP: Maximizando el Valor de su Migración a SAP S/4HANA.pdf
Modernización de SAP: Maximizando el Valor de su Migración a SAP S/4HANA.pdf
Precisely
 
Outdated Tech, Invisible Expenses – The Hidden Cost of Disconnected Data Syst...
Outdated Tech, Invisible Expenses – The Hidden Cost of Disconnected Data Syst...Outdated Tech, Invisible Expenses – The Hidden Cost of Disconnected Data Syst...
Outdated Tech, Invisible Expenses – The Hidden Cost of Disconnected Data Syst...
Precisely
 
Migration vers SAP S/4HANA: Un levier stratégique pour votre transformation d...
Migration vers SAP S/4HANA: Un levier stratégique pour votre transformation d...Migration vers SAP S/4HANA: Un levier stratégique pour votre transformation d...
Migration vers SAP S/4HANA: Un levier stratégique pour votre transformation d...
Precisely
 
Outdated Tech, Invisible Expenses: The Hidden Cost of Poor Data Integration o...
Outdated Tech, Invisible Expenses: The Hidden Cost of Poor Data Integration o...Outdated Tech, Invisible Expenses: The Hidden Cost of Poor Data Integration o...
Outdated Tech, Invisible Expenses: The Hidden Cost of Poor Data Integration o...
Precisely
 
The Changing Compliance Landscape in 2025.pdf
The Changing Compliance Landscape in 2025.pdfThe Changing Compliance Landscape in 2025.pdf
The Changing Compliance Landscape in 2025.pdf
Precisely
 
AI You Can Trust: The Critical Role of Governance and Quality.pdf
AI You Can Trust: The Critical Role of Governance and Quality.pdfAI You Can Trust: The Critical Role of Governance and Quality.pdf
AI You Can Trust: The Critical Role of Governance and Quality.pdf
Precisely
 
Automate Studio Training: Building Scripts for SAP Fiori and GUI for HTML.pdf
Automate Studio Training: Building Scripts for SAP Fiori and GUI for HTML.pdfAutomate Studio Training: Building Scripts for SAP Fiori and GUI for HTML.pdf
Automate Studio Training: Building Scripts for SAP Fiori and GUI for HTML.pdf
Precisely
 
Unlocking the Power of Trusted Data for AI, Analytics, and Business Growth.pdf
Unlocking the Power of Trusted Data for AI, Analytics, and Business Growth.pdfUnlocking the Power of Trusted Data for AI, Analytics, and Business Growth.pdf
Unlocking the Power of Trusted Data for AI, Analytics, and Business Growth.pdf
Precisely
 
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdfSAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
Precisely
 
End-to-end process automation: Simplifying SAP master data with low-code/no-c...
End-to-end process automation: Simplifying SAP master data with low-code/no-c...End-to-end process automation: Simplifying SAP master data with low-code/no-c...
End-to-end process automation: Simplifying SAP master data with low-code/no-c...
Precisely
 
Optimizing Your IBM i Availability: Storage vs. Software Replication.pdf
Optimizing Your IBM i Availability: Storage vs. Software Replication.pdfOptimizing Your IBM i Availability: Storage vs. Software Replication.pdf
Optimizing Your IBM i Availability: Storage vs. Software Replication.pdf
Precisely
 
AI You Can Trust - The Role of Data Integrity in AI-Readiness.pdf
AI You Can Trust - The Role of Data Integrity in AI-Readiness.pdfAI You Can Trust - The Role of Data Integrity in AI-Readiness.pdf
AI You Can Trust - The Role of Data Integrity in AI-Readiness.pdf
Precisely
 
Top Tips to Get Your Data AI-Ready‎ ‎ ‎‎ ‎
Top Tips to Get Your Data AI-Ready‎ ‎ ‎‎ ‎Top Tips to Get Your Data AI-Ready‎ ‎ ‎‎ ‎
Top Tips to Get Your Data AI-Ready‎ ‎ ‎‎ ‎
Precisely
 
Transform your IBM i and IBM Z data for proactive IT Operations.pdf
Transform your IBM i and IBM Z data for proactive IT Operations.pdfTransform your IBM i and IBM Z data for proactive IT Operations.pdf
Transform your IBM i and IBM Z data for proactive IT Operations.pdf
Precisely
 
Precisely Demo Showcase - The Future of Location Data Management and Analytic...
Precisely Demo Showcase - The Future of Location Data Management and Analytic...Precisely Demo Showcase - The Future of Location Data Management and Analytic...
Precisely Demo Showcase - The Future of Location Data Management and Analytic...
Precisely
 
Precisely Automate Evolve vs SAP MDG : L'Automatisation SAP, quel que soit l...
Precisely Automate Evolve vs SAP MDG : L'Automatisation SAP, quel que soit l...Precisely Automate Evolve vs SAP MDG : L'Automatisation SAP, quel que soit l...
Precisely Automate Evolve vs SAP MDG : L'Automatisation SAP, quel que soit l...
Precisely
 
Taking Your Legacy Data Beyond Modernization with AWS.pdf
Taking Your Legacy Data Beyond Modernization with AWS.pdfTaking Your Legacy Data Beyond Modernization with AWS.pdf
Taking Your Legacy Data Beyond Modernization with AWS.pdf
Precisely
 
Precisely Showcase - Data Governance, Quality & MDM.pdf
Precisely Showcase - Data Governance, Quality & MDM.pdfPrecisely Showcase - Data Governance, Quality & MDM.pdf
Precisely Showcase - Data Governance, Quality & MDM.pdf
Precisely
 
Stronger Together: Combining Data Quality and Governance for Confident AI & A...
Stronger Together: Combining Data Quality and Governance for Confident AI & A...Stronger Together: Combining Data Quality and Governance for Confident AI & A...
Stronger Together: Combining Data Quality and Governance for Confident AI & A...
Precisely
 
Ad

Recently uploaded (20)

Design pattern talk by Kaya Weers - 2025 (v2)
Design pattern talk by Kaya Weers - 2025 (v2)Design pattern talk by Kaya Weers - 2025 (v2)
Design pattern talk by Kaya Weers - 2025 (v2)
Kaya Weers
 
RTP Over QUIC: An Interesting Opportunity Or Wasted Time?
RTP Over QUIC: An Interesting Opportunity Or Wasted Time?RTP Over QUIC: An Interesting Opportunity Or Wasted Time?
RTP Over QUIC: An Interesting Opportunity Or Wasted Time?
Lorenzo Miniero
 
ICDCC 2025: Securing Agentic AI - Eryk Budi Pratama.pdf
ICDCC 2025: Securing Agentic AI - Eryk Budi Pratama.pdfICDCC 2025: Securing Agentic AI - Eryk Budi Pratama.pdf
ICDCC 2025: Securing Agentic AI - Eryk Budi Pratama.pdf
Eryk Budi Pratama
 
DevOpsDays SLC - Platform Engineers are Product Managers.pptx
DevOpsDays SLC - Platform Engineers are Product Managers.pptxDevOpsDays SLC - Platform Engineers are Product Managers.pptx
DevOpsDays SLC - Platform Engineers are Product Managers.pptx
Justin Reock
 
Multi-Agent AI Systems: Architectures & Communication (MCP and A2A)
Multi-Agent AI Systems: Architectures & Communication (MCP and A2A)Multi-Agent AI Systems: Architectures & Communication (MCP and A2A)
Multi-Agent AI Systems: Architectures & Communication (MCP and A2A)
HusseinMalikMammadli
 
Developing Product-Behavior Fit: UX Research in Product Development by Krysta...
Developing Product-Behavior Fit: UX Research in Product Development by Krysta...Developing Product-Behavior Fit: UX Research in Product Development by Krysta...
Developing Product-Behavior Fit: UX Research in Product Development by Krysta...
UXPA Boston
 
Top Hyper-Casual Game Studio Services
Top Hyper-Casual Game Studio ServicesTop Hyper-Casual Game Studio Services
Top Hyper-Casual Game Studio Services
Nova Carter
 
Refactoring meta-rauc-community: Cleaner Code, Better Maintenance, More Machines
Refactoring meta-rauc-community: Cleaner Code, Better Maintenance, More MachinesRefactoring meta-rauc-community: Cleaner Code, Better Maintenance, More Machines
Refactoring meta-rauc-community: Cleaner Code, Better Maintenance, More Machines
Leon Anavi
 
Right to liberty and security of a person.pdf
Right to liberty and security of a person.pdfRight to liberty and security of a person.pdf
Right to liberty and security of a person.pdf
danielbraico197
 
Building the Customer Identity Community, Together.pdf
Building the Customer Identity Community, Together.pdfBuilding the Customer Identity Community, Together.pdf
Building the Customer Identity Community, Together.pdf
Cheryl Hung
 
May Patch Tuesday
May Patch TuesdayMay Patch Tuesday
May Patch Tuesday
Ivanti
 
Best 10 Free AI Character Chat Platforms
Best 10 Free AI Character Chat PlatformsBest 10 Free AI Character Chat Platforms
Best 10 Free AI Character Chat Platforms
Soulmaite
 
AI x Accessibility UXPA by Stew Smith and Olivier Vroom
AI x Accessibility UXPA by Stew Smith and Olivier VroomAI x Accessibility UXPA by Stew Smith and Olivier Vroom
AI x Accessibility UXPA by Stew Smith and Olivier Vroom
UXPA Boston
 
Top 5 Qualities to Look for in Salesforce Partners in 2025
Top 5 Qualities to Look for in Salesforce Partners in 2025Top 5 Qualities to Look for in Salesforce Partners in 2025
Top 5 Qualities to Look for in Salesforce Partners in 2025
Damco Salesforce Services
 
How Top Companies Benefit from Outsourcing
How Top Companies Benefit from OutsourcingHow Top Companies Benefit from Outsourcing
How Top Companies Benefit from Outsourcing
Nascenture
 
Building a research repository that works by Clare Cady
Building a research repository that works by Clare CadyBuilding a research repository that works by Clare Cady
Building a research repository that works by Clare Cady
UXPA Boston
 
Slack like a pro: strategies for 10x engineering teams
Slack like a pro: strategies for 10x engineering teamsSlack like a pro: strategies for 10x engineering teams
Slack like a pro: strategies for 10x engineering teams
Nacho Cougil
 
UiPath AgentHack - Build the AI agents of tomorrow_Enablement 1.pptx
UiPath AgentHack - Build the AI agents of tomorrow_Enablement 1.pptxUiPath AgentHack - Build the AI agents of tomorrow_Enablement 1.pptx
UiPath AgentHack - Build the AI agents of tomorrow_Enablement 1.pptx
anabulhac
 
AI-proof your career by Olivier Vroom and David WIlliamson
AI-proof your career by Olivier Vroom and David WIlliamsonAI-proof your career by Olivier Vroom and David WIlliamson
AI-proof your career by Olivier Vroom and David WIlliamson
UXPA Boston
 
Cybersecurity Threat Vectors and Mitigation
Cybersecurity Threat Vectors and MitigationCybersecurity Threat Vectors and Mitigation
Cybersecurity Threat Vectors and Mitigation
VICTOR MAESTRE RAMIREZ
 
Design pattern talk by Kaya Weers - 2025 (v2)
Design pattern talk by Kaya Weers - 2025 (v2)Design pattern talk by Kaya Weers - 2025 (v2)
Design pattern talk by Kaya Weers - 2025 (v2)
Kaya Weers
 
RTP Over QUIC: An Interesting Opportunity Or Wasted Time?
RTP Over QUIC: An Interesting Opportunity Or Wasted Time?RTP Over QUIC: An Interesting Opportunity Or Wasted Time?
RTP Over QUIC: An Interesting Opportunity Or Wasted Time?
Lorenzo Miniero
 
ICDCC 2025: Securing Agentic AI - Eryk Budi Pratama.pdf
ICDCC 2025: Securing Agentic AI - Eryk Budi Pratama.pdfICDCC 2025: Securing Agentic AI - Eryk Budi Pratama.pdf
ICDCC 2025: Securing Agentic AI - Eryk Budi Pratama.pdf
Eryk Budi Pratama
 
DevOpsDays SLC - Platform Engineers are Product Managers.pptx
DevOpsDays SLC - Platform Engineers are Product Managers.pptxDevOpsDays SLC - Platform Engineers are Product Managers.pptx
DevOpsDays SLC - Platform Engineers are Product Managers.pptx
Justin Reock
 
Multi-Agent AI Systems: Architectures & Communication (MCP and A2A)
Multi-Agent AI Systems: Architectures & Communication (MCP and A2A)Multi-Agent AI Systems: Architectures & Communication (MCP and A2A)
Multi-Agent AI Systems: Architectures & Communication (MCP and A2A)
HusseinMalikMammadli
 
Developing Product-Behavior Fit: UX Research in Product Development by Krysta...
Developing Product-Behavior Fit: UX Research in Product Development by Krysta...Developing Product-Behavior Fit: UX Research in Product Development by Krysta...
Developing Product-Behavior Fit: UX Research in Product Development by Krysta...
UXPA Boston
 
Top Hyper-Casual Game Studio Services
Top Hyper-Casual Game Studio ServicesTop Hyper-Casual Game Studio Services
Top Hyper-Casual Game Studio Services
Nova Carter
 
Refactoring meta-rauc-community: Cleaner Code, Better Maintenance, More Machines
Refactoring meta-rauc-community: Cleaner Code, Better Maintenance, More MachinesRefactoring meta-rauc-community: Cleaner Code, Better Maintenance, More Machines
Refactoring meta-rauc-community: Cleaner Code, Better Maintenance, More Machines
Leon Anavi
 
Right to liberty and security of a person.pdf
Right to liberty and security of a person.pdfRight to liberty and security of a person.pdf
Right to liberty and security of a person.pdf
danielbraico197
 
Building the Customer Identity Community, Together.pdf
Building the Customer Identity Community, Together.pdfBuilding the Customer Identity Community, Together.pdf
Building the Customer Identity Community, Together.pdf
Cheryl Hung
 
May Patch Tuesday
May Patch TuesdayMay Patch Tuesday
May Patch Tuesday
Ivanti
 
Best 10 Free AI Character Chat Platforms
Best 10 Free AI Character Chat PlatformsBest 10 Free AI Character Chat Platforms
Best 10 Free AI Character Chat Platforms
Soulmaite
 
AI x Accessibility UXPA by Stew Smith and Olivier Vroom
AI x Accessibility UXPA by Stew Smith and Olivier VroomAI x Accessibility UXPA by Stew Smith and Olivier Vroom
AI x Accessibility UXPA by Stew Smith and Olivier Vroom
UXPA Boston
 
Top 5 Qualities to Look for in Salesforce Partners in 2025
Top 5 Qualities to Look for in Salesforce Partners in 2025Top 5 Qualities to Look for in Salesforce Partners in 2025
Top 5 Qualities to Look for in Salesforce Partners in 2025
Damco Salesforce Services
 
How Top Companies Benefit from Outsourcing
How Top Companies Benefit from OutsourcingHow Top Companies Benefit from Outsourcing
How Top Companies Benefit from Outsourcing
Nascenture
 
Building a research repository that works by Clare Cady
Building a research repository that works by Clare CadyBuilding a research repository that works by Clare Cady
Building a research repository that works by Clare Cady
UXPA Boston
 
Slack like a pro: strategies for 10x engineering teams
Slack like a pro: strategies for 10x engineering teamsSlack like a pro: strategies for 10x engineering teams
Slack like a pro: strategies for 10x engineering teams
Nacho Cougil
 
UiPath AgentHack - Build the AI agents of tomorrow_Enablement 1.pptx
UiPath AgentHack - Build the AI agents of tomorrow_Enablement 1.pptxUiPath AgentHack - Build the AI agents of tomorrow_Enablement 1.pptx
UiPath AgentHack - Build the AI agents of tomorrow_Enablement 1.pptx
anabulhac
 
AI-proof your career by Olivier Vroom and David WIlliamson
AI-proof your career by Olivier Vroom and David WIlliamsonAI-proof your career by Olivier Vroom and David WIlliamson
AI-proof your career by Olivier Vroom and David WIlliamson
UXPA Boston
 
Cybersecurity Threat Vectors and Mitigation
Cybersecurity Threat Vectors and MitigationCybersecurity Threat Vectors and Mitigation
Cybersecurity Threat Vectors and Mitigation
VICTOR MAESTRE RAMIREZ
 

Combat Passwords on Post-Its with Multi-Factor Authentication for IBM i

  • 2. Today’s Topics 1 – Password Management on IBM i 2 – Introducing Multi-Factor Authentication 3 – Setting up Multi-Factor Authentication on IBM i 4 – How Syncsort Can Help
  • 3. Today’s Topics 1 – Password Management on IBM i 2 – Introducing Multi-Factor Authentication 3 – Setting up Multi-Factor Authentication on IBM i 4 – How Syncsort Can Help
  • 4. Password Management Basics Basics Benefits System Value for security level QSECURITY (10,20 & more) Makes passwords required System Values for Signon attempts QMAXSGNACN & QMAXSIGN Protects from guessed password & brute force attacks System Value for Password Level QPWDLVL (0,1,2,3) Strengthens passwords Additional System Values for Password management QPWD* Strengthens passwords Single Sign On & EIM Simplifies password management SSL, TLS Encrypts passwords These measures provide basic password security. How do you take the next step in password security? Passwords alone are weak. The frequency of breaches due to stolen or guessed passwords and brute-force attacks requires an additional layer of user authentication security. 4
  • 5. • Should we add more complexity to passwords? Not really. • Why not? Because we write them down! • Complex password increase costs and introduce weaknesses: • Management is complex • Management is expensive • Impacts productivity (re-enabling users, password changes, etc.) • Reliance on passwords alone puts all your eggs in the same basket! Complex Password Issues NIST’s latest Digital Identity Guidelines at https://pages.nist.gov/800-63-3/ recommend against complex passwords 5
  • 6. Today’s Topics 1 – Password Management on IBM i 2 – Introducing Multi-Factor Authentication 3 – Setting up Multi-Factor Authentication on IBM i 4 – How Syncsort Can Help
  • 7. Multi-Factor Authentication (MFA), sometimes called Two-Factor Authentication (2FA), uses two or more of the following factors : • Something you know or a “knowledge factor” • E.g. user ID, password, PIN, security question • Something you have or a “possession factor” • E.g. smartphone, smartcard, token device • Something you are or an “inherence factor” • E.g. fingerprint, iris scan, voice recognition Multi-Factor Authentication Adds a Layer of Login Security Typical authentication on IBM i uses 2 items of the same factor – User ID and password. This is not multi-factor authentication. 7
  • 8. Authentication/ Verification UserID Password Passcode Logged in Single Step SUCCESS FAILURE Multi-Step Authentication • Two authentication steps are presented separately • If authentication fails, the user knows which step failed Multi-Step vs. One-Step Authentication 8 One-Step Authentication • Multiple authentication factors presented at the same time • All factors must be validated before granting access • If authentication fails, user doesn’t know which factor failed Authentication Verification User ID & Password Passcode Logged in Step 1 Step 2 SUCCESS SUCCESS FAILURE FAILURE Not understanding which authentication factor failed is frustrating for end users, but it is required by regulations such as PCI.
  • 9. Examples of MFA 9 This is Not MFA Two things the user knows and no other factor is not MFA A combination of things the user knows, has or is provides MFA
  • 10. Is geolocation a 4th factor for Multi-Factor Authentication? Location of the user can be used as a factor, or at least a criteria. Example: a user connected from inside the network is challenged normally while when connected from outside the network the rules can be more complex Geolocation can be used to restrict access, so it can be more related to access control versus MFA. A Fourth Factor? 10
  • 11. • Regulations are evolving to require or recommend MFA. Consult the latest documentation for the regulations that impact your business! • MFA avoids the risks and costs of: • Weak passwords • Complex passwords • MFA is a good security measure when: • It is customizable and simple to administer • End users adoption is easy • MFA can support internal strategy and legal requirements • BYOD (Bring Your Own Device) vs COPE (Corporate Owned, Personally Enabled) Passwords alone are insufficient to protect your systems from attack. Multiple factors are better than one to improve security! Why Adopt Multi-Factor Authentication? 11 Verizon’s Annual Data Breach Report 2018: “Use two-factor authentication. Phishing campaigns are still hugely effective. And employees make mistakes. Two-factor authentication can limit the damage that can be done if credentials are lost or stolen.”
  • 12. PCI-DSS version 3.2 • Requires companies to secure all administrative access to the CDE (Cardholder Data Environment) using MFA • Check document “Multi-Factor Authentication” – February 2017 –Requirement 8.3. New York Department of Financial Services Cybersecurity Regulation • 23 NYCRR 500 Section 500.12 (b) states, “Multi-Factor Authentication shall be utilized for any individual accessing the Covered Entity’s internal networks from an external network, unless the Covered Entity’s CISO has approved in writing the use of reasonably equivalent or more secure access controls.” FFIEC (Federal Financial Institutions Examination Council) • The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties. HIPAA • Doesn't explicitly mention MFA • Due to password expiration reinforcement and updates to NIST guidance (800-63), MFA becomes a very reasonable solution to meet HIPAA section 164.312d Regulatory Requirements for MFA 12
  • 13. Authentication Services The Purpose of a Service Authentication services provide passcodes Passcode can be only token code that changes every minute or it can be combined with a PIN code A Passcode alternative could be a push notification, fingerprint, etc. RFC6238 Based on the Time-based One- Time Password algorithm (TOTP) Examples • Microsoft Authenticator • Google Authenticator • Authy • Yubico • And others 13 RADIUS authentication For organizations that use their own RADIUS server or a third-party solution compatible with RADIUS such as: • RSA SecurID® Access • Gemalto • DUO Authenticator • Microsoft Azure Authenticator • And others Something you know Something you have PIN Code Token Code PASSCODE Combination of something you know and something you have is OK for MFA
  • 14. Authentication options are methods for transporting an authentication factor. They can include: • Email • Phone call • Mobile phones • Push-based authentication • QR code based authentication • One-time password authentication (event-based and time-based) • SMS-based verification (see box) • Hardware device such as fobs • USB-based physical tokens • USB tokens are not allowed in many organizations due to risk of loss, theft, virus, or malware • USB tokens are costly and heavy to manage for all users • Biometric device Factors must be independent – A factor cannot be used to access another factor, they should be physically independent Authentication Options 14 Use of SMS for Authentication – PCI DSS relies on industry standards, such as NIST, ISO, and ANSI, that cover all industries, not just the payment industry. While NIST currently permits the use of SMS authentication for MFA, they have advised that out-of-band authentication using SMS or voice should be “restricted” as it presents a security risk.
  • 15. From our experience, typical MFA projects for IBM i involve: • Providing a stronger challenge for internal privileged users (RSA for example) • Challenging an external consultant for a valid ticket number before allowing them to sign on • A simple challenge by email to application users who are performing critical operations • Requesting an additional security question based on geolocation MFA is also very useful for self-service password reset Typical IBM i MFA Project 15
  • 16. PCI and other standards including but not limited to NIST SP 800-63B require that all factors in multi-factor authentication be unified into a one-step process to prevent data leakage at any single-factor authentication step. It should be further noted that numerous components and services on the IBM i do not support the RFCs upon which the Google authenticator and others are built and cannot utilize Multi-Factor Authentication. Debate: Is MFA Really Applicable on IBM i? 16
  • 17. Today’s Topics 1 – Password Management on IBM i 2 – Introducing Multi-Factor Authentication 3 – Setting up Multi-Factor Authentication on IBM i 4 – How Syncsort Can Help
  • 18. Multi-Factor Authentication Process Flow User: ADMINGUY Password: xxxxxxxxxxx <ENTER>
  • 19. Multi-Factor Authentication Process Flow User: ADMINGUY Password: xxxxxxxxxxx <ENTER> Initial Program for User ADMINGUY
  • 20. Multi-Factor Authentication Process Flow User: ADMINGUY Password: xxxxxxxxxxx <ENTER> Initial Program for User ADMINGUY Additional Challenge for User ADMINGUY? Which Challenge?
  • 21. Multi-Factor Authentication Process Flow User: ADMINGUY Password: xxxxxxxxxxx <ENTER> Initial Program for User ADMINGUY Additional Challenge for User ADMINGUY? Which Challenge? Information needed to evaluate the challenge: • Day and time • Device, Subsystem, IP address • Call stack • IBM i user attributes (group, special authorities, etc.) • MFA user attributes (user ID, email, phone number, etc.)
  • 22. Multi-Factor Authentication Process Flow User: ADMINGUY Password: xxxxxxxxxxx <ENTER> Initial Program for User ADMINGUY Additional Challenge for User ADMINGUY? Which Challenge? Menu NO Information needed to evaluate the challenge: • Day and time • Device, Subsystem, IP address • Call stack • IBM i user attributes (group, special authorities, etc.) • MFA user attributes (user ID, email, phone number, etc.)
  • 23. Multi-Factor Authentication Process Flow User: ADMINGUY Password: xxxxxxxxxxx <ENTER> Initial Program for User ADMINGUY Additional Challenge for User ADMINGUY? Which Challenge? Information needed to evaluate the challenge: • Day and time • Device, Subsystem, IP address • Call stack • IBM i user attributes (group, special authorities, etc.) • MFA user attributes (user ID, email, phone number, etc.) Passcode: NNNNNNNNN PROMPT Menu NO
  • 24. Multi-Factor Authentication Process Flow User: ADMINGUY Password: xxxxxxxxxxx <ENTER> Initial Program for User ADMINGUY Additional Challenge for User ADMINGUY? Which Challenge? Information needed to evaluate the challenge: • Day and time • Device, Subsystem, IP address • Call stack • IBM i user attributes (group, special authorities, etc.) • MFA user attributes (user ID, email, phone number, etc.) PROMPT Format the request Send it to the authentication server CHECK Menu NO Passcode: NNNNNNNNN
  • 25. Multi-Factor Authentication Process Flow User: ADMINGUY Password: xxxxxxxxxxx <ENTER> Initial Program for User ADMINGUY Additional Challenge for User ADMINGUY? Which Challenge? Information needed to evaluate the challenge: • Day and time • Device, Subsystem, IP address • Call stack • IBM i user attributes (group, special authorities, etc.) • MFA user attributes (user ID, email, phone number, etc.) PROMPT CHECK Menu NO Authentication Server User: ABCD1234 Passcode: NNNNNNNNN CONNECT Format the request Send it to the authentication server Passcode: NNNNNNNNN
  • 26. Multi-Factor Authentication Process Flow User: ADMINGUY Password: xxxxxxxxxxx <ENTER> Initial Program for User ADMINGUY Additional Challenge for User ADMINGUY? Which Challenge? Information needed to evaluate the challenge: • Day and time • Device, Subsystem, IP address • Call stack • IBM i user attributes (group, special authorities, etc.) • MFA user attributes (user ID, email, phone number, etc.) PROMPT CHECK Authentication Server User: ABCD1234 Passcode: NNNNNNNNN CONNECT MAPPING TABLE User User IBM i Authentication ADMINGUY ABCD1234 ADMINJEFF EFGH5678 Menu NO Format the request Send it to the authentication server Passcode: NNNNNNNNN
  • 27. Multi-Factor Authentication Process Flow User: ADMINGUY Password: xxxxxxxxxxx <ENTER> Initial Program for User ADMINGUY Additional Challenge for User ADMINGUY? Which Challenge? Information needed to evaluate the challenge: • Day and time • Device, Subsystem, IP address • Call stack • IBM i user attributes (group, special authorities, etc.) • MFA user attributes (user ID, email, phone number, etc.) PROMPT CHECK Authentication Server User: ABCD1234 Passcode: NNNNNNNNN CONNECT MAPPING TABLE User User IBM i Authentication ADMINGUY ABCD1234 ADMINJEFF EFGH5678 RECEIVE ANSWER Menu NO Format the request Send it to the authentication server Passcode: NNNNNNNNN
  • 28. Multi-Factor Authentication Process Flow User: ADMINGUY Password: xxxxxxxxxxx <ENTER> Initial Program for User ADMINGUY Additional Challenge for User ADMINGUY? Which Challenge? Information needed to evaluate the challenge: • Day and time • Device, Subsystem, IP address • Call stack • IBM i user attributes (group, special authorities, etc.) • MFA user attributes (user ID, email, phone number, etc.) PROMPT CHECK Authentication Server User: ABCD1234 Passcode: NNNNNNNNN CONNECT MAPPING TABLE User User IBM i Authentication ADMINGUY ABCD1234 ADMINJEFF EFGH5678 RECEIVE ANSWER Menu NO Possible responses to the IBM i user: • Accepted • Rejected • New PIN code requested • New token code requested • And more Format the request Send it to the authentication server Passcode: NNNNNNNNN
  • 29. Multi-Factor Authentication Process Flow User: ADMINGUY Password: xxxxxxxxxxx <ENTER> Initial Program for User ADMINGUY Additional Challenge for User ADMINGUY? Which Challenge? Information needed to evaluate the challenge: • Day and time • Device, Subsystem, IP address • Call stack • IBM i user attributes (group, special authorities, etc.) • MFA user attributes (user ID, email, phone number, etc.) PROMPT CHECK Authentication Server User: ABCD1234 Passcode: NNNNNNNNN CONNECT MAPPING TABLE User User IBM i Authentication ADMINGUY ABCD1234 ADMINJEFF EFGH5678 RECEIVE ANSWER For segregation reasons, the real response is only known by the authentication server. The real reason could be: • User not valid • User disabled • PIN code not valid • And more • Token code not valid • Token code already used • Configuration error Menu NO Possible responses to the IBM i user: • Accepted • Rejected • New PIN code requested • New token code requested • And more Format the request Send it to the authentication server Passcode: NNNNNNNNN
  • 30. Multi-Factor Authentication Process Flow User: ADMINGUY Password: xxxxxxxxxxx <ENTER> Initial Program for User ADMINGUY Additional Challenge for User ADMINGUY? Which Challenge? Information needed to evaluate the challenge: • Day and time • Device, Subsystem, IP address • Call stack • IBM i user attributes (group, special authorities, etc.) • MFA user attributes (user ID, email, phone number, etc.) PROMPT CHECK Authentication Server User: ABCD1234 Passcode: NNNNNNNNN CONNECT MAPPING TABLE User User IBM i Authentication ADMINGUY ABCD1234 ADMINJEFF EFGH5678 RECEIVE ANSWER Log the Request Menu NO Possible responses to the IBM i user: • Accepted • Rejected • New PIN code requested • New token code requested • And more For segregation reasons, the real response is only known by the authentication server. The real reason could be: • User not valid • User disabled • PIN code not valid • And more • Token code not valid • Token code already used • Configuration error Format the request Send it to the authentication server Passcode: NNNNNNNNN
  • 31. Multi-Factor Authentication Process Flow User: ADMINGUY Password: xxxxxxxxxxx <ENTER> Initial Program for User ADMINGUY Additional Challenge for User ADMINGUY? Which Challenge? Information needed to evaluate the challenge: • Day and time • Device, Subsystem, IP address • Call stack • IBM i user attributes (group, special authorities, etc.) • MFA user attributes (user ID, email, phone number, etc.) PROMPT CHECK Authentication Server User: ABCD1234 Passcode: NNNNNNNNN CONNECT MAPPING TABLE User User IBM i Authentication ADMINGUY ABCD1234 ADMINJEFF EFGH5678 RECEIVE ANSWER Possible responses to the IBM i user: • Accepted • Rejected • New PIN code requested • New token code requested • And more Log the Request REQUEST ANOTHER CHALLENGE Menu NO Format the request Send it to the authentication server Passcode: NNNNNNNNN For segregation reasons, the real response is only known by the authentication server. The real reason could be: • User not valid • User disabled • PIN code not valid • And more • Token code not valid • Token code already used • Configuration error
  • 32. Multi-Factor Authentication Process Flow User: ADMINGUY Password: xxxxxxxxxxx <ENTER> Initial Program for User ADMINGUY Additional Challenge for User ADMINGUY? Which Challenge? Information needed to evaluate the challenge: • Day and time • Device, Subsystem, IP address • Call stack • IBM i user attributes (group, special authorities, etc.) • MFA user attributes (user ID, email, phone number, etc.) PROMPT CHECK Authentication Server User: ABCD1234 Passcode: NNNNNNNNN CONNECT MAPPING TABLE User User IBM i Authentication ADMINGUY ABCD1234 ADMINJEFF EFGH5678 RECEIVE ANSWER Possible responses to the IBM i user: • Accepted • Rejected • New PIN code requested • New token code requested • And more Log the Request REQUEST ANOTHER CHALLENGE Menu NO Format the request Send it to the authentication server Passcode: NNNNNNNNN Possible challenges: • Push notification • Fingerprint • Passcode • Security question • And more For segregation reasons, the real response is only known by the authentication server. The real reason could be: • User not valid • User disabled • PIN code not valid • And more • Token code not valid • Token code already used • Configuration error
  • 33. Multi-Factor Authentication Process Flow User: ADMINGUY Password: xxxxxxxxxxx <ENTER> Initial Program for User ADMINGUY Additional Challenge for User ADMINGUY? Which Challenge? Information needed to evaluate the challenge: • Day and time • Device, Subsystem, IP address • Call stack • IBM i user attributes (group, special authorities, etc.) • MFA user attributes (user ID, email, phone number, etc.) PROMPT CHECK Authentication Server User: ABCD1234 Passcode: NNNNNNNNN CONNECT MAPPING TABLE User User IBM i Authentication ADMINGUY ABCD1234 ADMINJEFF EFGH5678 RECEIVE ANSWER Possible responses to the IBM i user: • Accepted • Rejected • New PIN code requested • New token code requested • And more Log the Request REQUEST ANOTHER CHALLENGE Menu NO REJECTED ACCEPTED Format the request Send it to the authentication server Passcode: NNNNNNNNN For segregation reasons, the real response is only known by the authentication server. The real reason could be: • User not valid • User disabled • PIN code not valid • And more • Token code not valid • Token code already used • Configuration error Possible challenges: • Push notification • Fingerprint • Passcode • Security question • And more
  • 34. • Can be used to protect not only the signon screen, but also to protect application use • Users can be registered individually or globally (through group profiles, or any other user attribute) • Can identify different populations of users and challenge them using different methods • Use existing authenticators as much as possible • Options for one-step or two-step authentication Notes on IBM i Authentication Process 34
  • 35. • It’s better to check more than just one authentication server, in case some are not reachable • What should be done if communication cannot be established with any of the authentication servers? • What should be done if the user provided is QSECOFR? • What should be done if the user is connected from the console? • What should be done if the user provided an incorrect IBM i password ? The initial program won’t be called… • What should be done with the QMAXSIGN & QMAXSGNACN system values? The end user should not know why his logon has failed. Text of these messages can be changed with a neutral message such as "Access denied". These messages are in the QCPFMSG message file. Tips and Questions to Consider 35
  • 36. More MFA Implementation Tips • The coding must be very robust in order to not let users finding weaknesses. • The coding must not leave any trace of the process in the joblog or anywhere else. • Access to journal(s) should be protected, but this is true anyway for any security policies in place • Changes to the MFA configuration need to be strongly audited and access by administrators should be prevented (using exit points) 36
  • 37. Additional Uses for Multi-Factor Authentication on IBM i Enables self-service profile re-enablement and self-service password changes Supports the Four Eyes Principle for supervised changes Protects access to certain commands like DFU, STRSQL, STRSST, etc… Real risk-based authentication policy (integrated with access control and elevated authority management capabilities) 37
  • 38. Today’s Topics 1 – Password Management on IBM i 2 – Introducing Multi-Factor Authentication 3 – Setting up Multi-Factor Authentication on IBM i 4 – How Syncsort Can Help
  • 39. • Powerful, flexible multi-factor authentication for IBM i • Options to initiate from the 5250 signon or on-demand • Options for one-step or two-step authentication • Support for multiple authentication methods • Enables self-service profile re-enablement and self-service password changes • Supports the Four Eyes Principle for supervised changes • RSA certified Assure Multi-Factor Authentication Username: Password: Token Code: Login Cancel 39 Strengthen security by requiring multiple forms of authentication prior to granting access to systems or applications
  • 40. Assure Security Assure Data Privacy Assure Encryption Assure Secure File Transfer Assure Monitoring and Reporting Assure Db2 Data Monitor Assure Access Control Assure System Access Manager Assure Elevated Authority Manager Assure Multi-Factor Authentication Security Risk Assessment Assure Compliance Monitoring Assure Multi-Factor Authentication is one module of Assure Security, Syncsort’s best-in-class solution for IBM i compliance and security 40
  • 41. Thank you! Learn more at www.syncsort.com/assure-security

Editor's Notes

  • #12: From RSA ppt: Confidently protect more things without bothering people (“Convenient / Frictionless”)
  • #15: From RSA ppt: Confidently protect more things without bothering people (“Convenient / Frictionless”)
  • #17: Of course, we can’t put that in the slide as is. Let’s see how we can write this message. Should we ask this at the beginning of the presentation? Not in this form?
  • #37: Considerations if they’re considering writing an in-house solution
  • #40: IBM says that real MFA cannot be supported on IBM i and Mainframe. Assure Multi-Factor Authentication changes the IBM i screen to mimic MFA. Pure technicians will say that this is not pure MFA. The best example is the behavior of system value QMAXSGNACN (action when max signon attempts reached).
  翻译: