It is probably fair to say that most of us are familiar with some form of multi-factor authentication (MFA) – if not by name, then surely by usage. The reality is that MFA is a security measure that is becoming more and more ubiquitous in both our online professional and personal lives. Many of us interface with it in our work environment – maybe we cannot use our laptop unless we insert a security USB or similar type of hardware token; and it is probably fair to say that nearly all of us use some form of multi-factor authentication when engaging in online banking.
The reasons for the introduction of MFA solutions is pretty obvious – additional layers of defense make for a more secure system. It however interesting to step back for a moment and explore the reasons behind the introduction of this technology.
Single-Factor Authentication
What is single-factor authentication you might well ask? Essentially it is simply the way we have been logging into our systems and applications up until now – by providing a user ID and password. And while, in theory, a password should be very hard to crack, evidence demonstrates that human nature is working against us in actually trying to achieve that. While a good, strong, password does provide good security, in general most of us do not use good, strong, passwords.
For single factor authentication to be effective, the passwords must be kept secret and they must be strong. However, given the number of different systems for which people have to use passwords (including both business use and personal use), it is not uncommon for people to breach the secrecy requirement by writing them down, either on a sticky note on their computer console or in their not-so-secret little black book of passwords. Even if passwords are kept secret, they are often recycled. One of the problems with recycling passwords is that, if we use it to log into some low-level website with low security, hackers could easily get a hold of our password from such a site, then try their luck using that password (and variations of it) on our banking applications.
Another weakness of passwords is that there are plenty of techniques available to hackers designed to figure out what our passwords are – from malware, keyloggers, phishing, and even brute force attacks (to which default passwords are very susceptible). Interestingly, as a result of their success in breaking into sites and stealing passwords over the years, hackers have been able to gain a great deal of insight into how people come up with passwords. Armed with this knowledge, the algorithms they have designed to guess our passwords have become quite complex.
As a countermeasure to this, many organizations began to stipulate that users must include a greater variety of characters in the passwords, examples being that we must include a mix of upper and lower case letter, numerals, as well as other characters. But, again due to human nature, this has not really made passwords that much harder for malicious computer applications to crack. In a large number of cases, people meet this requirement by merely adding a digit or character to their name or existing password, such as “myname_1”. Or by substituting what are referred to as common substitutions into a base word or term – for example, “GOAL1BlACK$” – apparently these are still quite easy for malicious algorithms to break. Interestingly, it seems that password length is the most critical issue regarding password strength – throwing some random characters in will not increase the strength of your password greatly, but simply making it longer will. The fascinating comic below addresses this issue, and suggests that “ALLBLACKSTENNISBRAZILRABBIT” would be harder to hack than “GOAL1BlACK$” … and the former has the significant advantage of being far easier to remember than the later.
Passwords are, of course, still an important part of the security equation, so they are not going to disappear from our user authentication processes just yet. And to keep them strong, the adage of them being like underpants will remain very relevant – change them often and never share them with anyone!
But passwords are simply not secure enough by themselves – as was demonstrated in Verizon’s 2016 Data Breach Investigations Report, where it was revealed that 63% of confirmed data breaches involved leveraging weak, default, or stolen passwords. Passwords are the number one cause of the flood of data breaches that we have witnessed around the world in the last few years. As a consequence of their weakness, another technique has been recruited to improve our security defenses … Multi-Factor Authentication.
Multi-Factor Authentication
MFA is a multi-layered authentication process which includes 2 or more of the following “factors” (which can be remembered as being somethings you “know, have and are”):
- Knowledge Factor
- This relates to something that you know, and generally refers to the traditional password. You know, if you can remember it, your password;
- Possession Factor
- This relates to something that you have and is unique to each user. If someone manages to get a hold of your password, or perhaps even guess it, they could potentially gain access to your system from anywhere in the world. By adding a requirement that the user must also have a certain item in their possession, the chances of a security breach is significantly reduced. Some examples of such items are RSA Token Keys, USB security sticks, Yubi keys, and mobile phones being sent with one-time-passwords (OTP) via an SMS/text or some other means;
- Inherence Factor
- Which relates to something you are, and typically involves confirmation based upon an individual’s own biometrics – such as fingerprints, retina, voice, and face recognition.
- Knowledge Factor
Do note that, two-factor authentication (2FA) and MFA are pretty much the same thing, only that 2FA specifically refers to using only 2 factors, while MFA refers to using 2 or more.
An important feature of MFA is that each of the methods engaged must belong to different factors. For example, a system requesting for 2 different passwords, or a password and a question, would not pass as MFA as both steps are asking for something that you know. That kind of approach would be known as 2-step authentication, not MFA.
Interestingly, while we might think of the growing ubiquity of MFA to be a recent phenomenon, the reality is that most of us have been using such techniques for a number of decades now – whenever we use an ATM machine, we present a bankcard (something we have) and a password (something we know).
Multi-Factor Authentication Governance
Many governing bodies around the world now require MFA to be incorporated into the user authentication process, including bodies such as PCI, 23 NYCRR 500, HIPAA, NIST-CSF, and Sorbannes Oxley. In many other situations, its implementation is highly recommended as a way to reduce the chances of breaching data protection laws such as GDPR or Singapore’s PDPA – and suffering the resultant heavy penalties.
Of relevance to the many IBM i companies in the financial sector located in Singapore, the Monetary Authority of Singapore recently (6 August 2019) made it a legal requirement for FI organizations to ensure that multi-factor authentication is implemented for the following situations (refer here for more information):
“
(a) all administrative accounts in respect of any operating system, database, application, security appliance or network device that is a critical system; and;
(b) all accounts on any system used by the relevant entity to access customer information through the internet.
”
The requirement to implement MFA is not entirely new for some organisations. What has been happening of late, however, is the evolution of its required usage moving from being solely required for users accessing internal systems from external locations, to now often being required for anyone accessing sensitive information, even from within the organisation’s walls.
Multi-Factor Authentication and IBM i
It can be a bit tricky for IBM i organisations to figure out how to apply multi-factor authentication in their IBM i environment. The vast majority of MFA solutions do not run on the IBM i, so an alternative way needs to be found to ensure this platform meets its MFA obligations. There is an irony on this front, in that the IBM i is very likely holding a significant proportion of your sensitive data.
To overcome this problem, the answer for some organization will be to write your own in-house code to link your IBM i authentication processes to MFA solutions sitting on another platform – with the inherent commercial risks of writing and maintaining your own code.
As a stronger option, here at Joule Tech, we have available a couple of MFA solutions that are specifically focused on the IBM i. With one approach, the system will run entirely on and from your IBM i. But we also have an option available for those organization who are already using, or are planning to use, systems like RSA SecurID or even YubiKey.
If you are interested in learning more about how to integrate Multi-Factor Authentication into your IBM I authentication process, then complete the form below or Contact Us here.