maxava

Welcoming the IBM Community

mfa

MFA: A Complete Guide to Affected Areas – Part 1

by

Andy Youens
in ,
5
(3)

This article continues our deep dive into Multi Factor Authentication (MFA) on IBM i, focusing on the new features introduced in version 7.6

If you’re new to MFA or need a refresher, you can start with the first part of this series, What is Multi, Factor Authentication? available here.

What Makes IBM i 7.6 MFA Different?

Unlike third party MFA solutions, IBM’s native implementation has access to all authentication interfaces throughout the operating system. This means MFA protection extends beyond just selected exit points to encompass every area where users must prove their identity.

The solution uses industry standard TOTP (RFC 6238), with authenticator apps like Microsoft Authenticator, Okta, Duo, or Authy, no additional software purchase required, no network connectivity needed and no agent installation necessary.

Prerequisites: System Values That Must Be Set

Before implementing MFA, two critical system values must be configured:

QSECURITY: (Global Security Level) Must be set to level 40 or 50
QPWDLVL (Password Level): Must be set to level 4

These requirements ensure your system meets the security baseline necessary for MFA operation. Systems running at lower levels of the operating system will need to be upgraded before MFA can be enabled.

Primary Areas Affected by MFA

1. Traditional Sign On Displays (5250 Emulation)

The most visible change appears on traditional green screen sign on displays. After enabling MFA and performing an IPL, all sign-on screens will display a new “Additional Signon Factor” field where users enter their six digit TOTP code.

Impact: Users accustomed to entering only user ID and password will now see this additional field. However, it only becomes mandatory after users are enrolled and their profiles are configured to require MFA.

2. IBM Navigator for i

Navigator for i has been enhanced with complete MFA functionality:

New MFA Configuration page under Security
User enrolment interface with QR code generation
Profile management for enabling/disabling MFA requirements
Additional Signon Factor field on all Navigator sign in screens

Impact: This is the primary interface for MFA enrolment and management. Non, *ALLOBJ users are automatically directed to the enrolment screen by default.

3. IBM Access Client Solutions (ACS)

All ACS components that require authentication now support the additional authentication factor field:

5250 emulation sessions
Run SQL Scripts
Schema Viewer
Other ACS tools requiring sign on

Impact: Users accessing multiple ACS tools may need to enter their TOTP multiple times unless you configure the optional interval feature (more on this below).

4. SSH Connections

SSH presents a unique challenge as it doesn’t display a traditional sign on screen with separate fields. IBM’s solution requires users to append the TOTP to their password using a colon separator:

Format: password:TOTPcode

Example: Str0ngPassw#rd:559013

Impact: This requires user education, as the SSH prompt provides no indication that the additional factor is required. Many administrators may choose to use the optional interval feature to reduce friction for SSH users.

5. System Service Tools (SST) & Dedicated Service Tools (DST)

IBM has implemented a separate MFA mechanism specifically for SST and DST access. This implementation is independent of the main IBM i MFA system and uses different verification logic.

Impact: Service professionals and administrators accessing these tools will encounter MFA protection even in restricted or locked down environments with no Internet connectivity.

6. Digital Certificate Manager (DCM)

The DCM interface has been updated to include the additional authentication factor field on its sign on screens.

Impact: Certificate management operations now benefit from enhanced security through MFA protection.

7. ODBC and Database Connections

Database connections requiring authentication are affected by MFA implementation:

ODBC connections from Windows servers
Automated database access processes
SQL connections requiring user authentication

Impact: Automated processes may need special handling using the new non changeable user profiles (see below) or the optional interval feature to avoid disrupting scheduled operations.

8. FTP & File Transfer Protocols

Any file transfer protocol requiring IBM i authentication will be affected when MFA is enabled for specific user profiles.

Impact: Like SSH, FTP clients may need to concatenate passwords and TOTP codes, or administrators may need to leverage the optional interval or specialised profiles.

9. Web Applications & HTTP Server

Web based applications authenticating against IBM i user profiles will need to accommodate the additional authentication factor.

Impact: Custom web applications may require interface updates to collect and pass TOTP values. The optional interval feature can provide a grace period for applications not yet updated.

10. New Authentication Exit Point

IBM i 7.6 introduces a new authentication exit point that triggers during:

User profile swapping operations
Temporary user profile usage
Any authentication event system wide

Impact: This exit point enables third party security vendors to integrate their biometric or MFA solutions with IBM’s native MFA facility, providing hybrid security approaches.

In the next article we will cover the _NC profiles, optional interval feature, per user customisation, monitoring and compliance, migration paths, network time protocol, coexistence with third party software, why this is 7.6 only and give our implementation recommendations.

How useful was this post?

Click on a star to rate it!

Average rating 5 / 5. Vote count: 3

No votes so far! Be the first to rate this post.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *