How Powertech Takes Native MFA from IBM i 7.6 a Step Further

IBM has announced the release of version 7.6 of the IBM i operating system. Among other enhancements, this release introduces native multi-factor authentication (MFA) capabilities as well as a new authentication exit point.

We at Fortra understand that robust MFA is essential for systems hosting business-critical applications, which is why we have been helping organizations establish MFA on IBM i for nearly a decade.

We applaud IBM for making this critical security measure more widely accessible, and in doing so, improving the culture of security surrounding this platform.

Keep reading to get an overview of IBM i’s new native MFA capabilities and how Powertech Multi-Factor Authentication adds to the advantages supplied by this latest release.

IBM i 7.6 Native MFA Overview

IBM i 7.6 will feature time-based one-time password (TOTP) MFA. This type of MFA, which is also supported by Powertech MFA, does not require a network connection between the device used for authentication and IBM i. This capability applies to all authentication points – such as green-screen sign-on and FTP sign-on. 

IBM i 7.6 also introduces a new integration mechanism for solutions like Powertech MFA to tie into and extend this functionality for enhanced capabilities that are essential to many organizations. We are excited to announce that the next release of Powertech MFA will fully support this integration. 

How Powertech MFA Enhances Native Capabilities and Supports Broader Security Initiatives

Native MFA from IBM i 7.6 is a welcome addition for organizations looking to secure basic MFA capabilities using technology that is already available to them. However, these native capabilities will present limitations as you attempt to scale MFA across your organization and integrate it with other critical security measures.

Powertech Multi-Factor Authentication provides significant advantages for organizations requiring:

• Centralized management: Powertech MFA streamlines authentication and maintenance of user identities across multiple systems, providing efficient on- and offboarding, as well as ease of use.
• Support for multiple authentication methods: These include a desktop authentication agent, one-time password lists, time-based one-time passwords, and others.
• Integration with existing authentication infrastructure: This includes Duo, FortiToken, Okta, Microsoft Entra ID, and RSA SecurID — all through RADIUS support. In this way, end users can continue using the authentication method that they are accustomed to.
• Audit trails: Established for both failed and successful MFA attempts as well as changes to MFA configuration. This is often a critical compliance functionality.
• SIEM integration: IBM i by itself does not include SIEM integration. With Powertech MFA, authentication events can be sent to a SIEM solution. This extends the audit trail through remote logging, thus making the process more secure.
• The ability for users to add devices via browser-based UI: End users can securely add their own mobile authentication devices from a browser-based UI. This eliminates the need to store the sensitive TOTP initial keys or recovery keys anywhere other than the authentication app itself. This also eliminates the need to temporarily disable MFA when a device has to be re-added.
• MFA on systems with security levels below 40 or password levels below 4: The IBM i 7.6 MFA functionality requires these specific conditions, while Powertech MFA works on systems with levels below these thresholds.
• The ability to add MFA for any type of action: If customers are able to modify the code of their desired application, they can add MFA to any type of action within it. For example, even if a user has successfully logged on to a core banking application, this functionality can be used to verify their authorization to change the balances of customer accounts. 

Establish MFA With Fortra’s Security Services

Fortra offers extensive services to help organizations optimize their IBM i security. Our IBM i cybersecurity services are administered by a team of experienced professionals with deep knowledge of the platform and what today’s administrators need to be paying attention to.

Our security services team can help with:

• Implementing MFA on IBM i systems
• Preparing you for audits
• Monitoring and reporting on critical system configurations

Looking at Security Beyond MFA

MFA is an effective security measure, but it should not be relied upon as a primary means of securing IBM i against intrusion attempts. MFA is best utilized when complemented by other solutions, such as:

• Commercial grade exit programs: Can be used to limit authentication based on the user profile, the IP address, and the type of service (FTP, ODBC, etc.)
• Privileged user management: Provides additional controls to limit access to privileged user profiles
• Command management: Limits access to potentially dangerous commands that can be used to change security settings, end applications or power down the system

Looking Forward

Organizations managing IBM i environments will continue to benefit from Powertech MFA's enterprise-grade approach to authentication security. Our upcoming release will include enhanced integration capabilities that will work seamlessly with both existing and new IBM i authentication architectures.

For us at Fortra, IBM i security has always been a priority, and we remain committed to providing the most comprehensive MFA solution for IBM i environments of all sizes.