Many of us are already aware of 2 Factor Authentication (2FA) and use it on a daily basis. 2FA comes into play when you slip your credit card with a chip into a payment machine at a restaurant or store and you enter your PIN. This enhances security as you need to provide something you have (the credit card) with something you know (the PIN), and sometimes something you are (like a fingerprint scan) vs. just a signature.
You may also see this in action when you attempt to sign on to a website or mobile application with a user name and password from a device like an iPad that perhaps you have never used for that particular app or site. The app comes back with “Please provide the last 4 digits of your cell phone number and enter the code that is sent by SMS to validate this access”. It may even then send an EMAIL to your known EMAIL address saying “Were you aware that access to this app was requested from a different device? Was that really you?” Many systems administrators who dial in remotely to systems that process credit card information are required by the Payment Cardholder Industry Data Security Standard (PCI DSS) to use 2FA which usually involves a hardware key fob that generates a random access code along with their user name and password. So what does this have to do with IBM i?
There are some vendors out there who provide 2FA for IBM i and many shops are currently taking advantage of it, but what has changed not only for IBM i but all platforms, is the requirements. Prior to last year, only remote administrators were required to use 2FA, but with the release of PIC DSS Version 3.2 in April of 2017, even local administrators must use 2FA or multi-factor authentication. This will obviously increase drastically the use of 2FA.
In terms of timing for implementing 2FA, PCI DSS 3.1 retired on 31 October 2016, and since then all assessments need to use version 3.2. The new requirements introduced in PCI DSS 3.2 are considered best practices until 31 January 2018. Starting 1 February 2018 they are effective as requirements and must be used. These new regulations can be found here:
If your IBM i is used in banking, financials or for any application that stores card holder information, you should start looking at 2FA as soon as possible. There are a number of products in the market that can provide 2FA including amongst others:
- Arpeggio Software with ARP-AUTH https://www.arpeggiosoftware.com/index.php/products/arp-auth-two-factor-authentication-ibm-i
- Kisko with i2Pass http://www.kisco.com/
- Safestone (now Help Systems) https://www.helpsystems.com/products/two-factor-authentication-software-ibm-i
- Townsend Security https://www.townsendsecurity.com/product/two-factor-authentication-IBM-i
- Valid Technologies with VSSA http://www.validtech.com/
Mid-Range can help as we are a Platinum Partner with Help Systems, but even if you aren’t ready for 2FA, ensure your existing password policies are sufficient with a FREE Security Scan. Contact us at firstname.lastname@example.org for more information.