Raz-Lee Simplifies MFA for IBM i
April 24, 2024 Alex Woodie
The need for multi-factor authentication (MFA) has never been higher, as cybercriminals continue to compromise corporate and governmental systems to steal data and hold systems for ransom. That market need has led Raz-Lee Security to add several new features to its MFA solution that should help its customers stop, or at least significantly slow, unauthorized access to IBM i.
Raz-Lee Security has sold MFA as part of its comprehensive iSecurity suite for several years, going back at least to December 2021, according to the company’s release notes for the product. With this month’s update to Raz-Lee MFA, the company has focused on making the software easier and more intuitive to use.
In previous releases of MFA, IBM i users had to open an email or an SMS message sent by the MFA server and click on a link in order to authenticate themselves and gain access to IBM i, according to Shmuel Zailer, the CEO Raz-Lee.
With MFA version 7.01, Raz-Lee has developed its own software that runs on mobile phone and provides integration with major authentication standards, such as OAuth 2.0, OpenID, and RADIUS. This will allow Raz-Lee MFA to work with common authentication apps, such as Duo and RSA, and also leverage users’ accounts, such as Facebook or Google to sign in.
“We have finished writing our own application for Android and iPhone which will enable us to do push notifications, so that when you sign on or when you start using FTP or anything else, you will find on the screen already a notification requiring you to ensure that it’s you and not somebody else,” Zailer said. “So now it is going to be much smoother and direct.”
The MFA offering supports one-time passwords (OTP) as well as time-based one-time passwords (TOTP), which change every 30 seconds. With this release it adds support for TOTP tokens as defined by the RFC 6238 algorithm, which is used by authenticator apps like Google Authenticator and Microsoft Authenticator, and also used by other software- and hardware-based token generators.
Supporting multiple authentication apps, methods, and protocols gives Raz-Lee customers more choice in how they sign on to the IBM i server, Zailer said.
“When you see the result of the app, then you can use your authentication to your cell phone, which is your fingerprint or your face recognition or a pattern which you draw with your finger–whatever you wish, it will be available,” he told IT Jungle in a recent interview. “This is something which we are very happy we did, and we thought a lot about it.”
The Web giants, such as Google and Facebook, have thousands of engineers available to make their authentication processes smooth and secure, and Raz-Lee is more than happy to leverage what they have done to improve the authentication process for its customers.
“We are able to use their verification instead of using our own verification,” he says. “If Google says that you have been verified properly, then it is good for us.”
Raz-Lee MFA is a native IBM i-based MFA solution that modifies the IBM i server’s configuration to require more stringent authentication when a user tries to sign-on or access certain services, including FTP, ODBC, DDM/DRDA, REXEC, and the IFS, among others. It builds on IBM i’s existing user ID and password authentication by requiring users to enter an additional password or token.
Raz-Lee MFA works at the user level as well as the IP-address level, and can be configured to treat users differently depending on their physical location and other conditions. For instance, even though a single user may have multiple user profiles on multiple LPARs, Raz-Lee MFA can authenticate the user once and not require re-authentication as long as the user’s IP address hasn’t changed, the company says.
In other cases, it can be configured to require users that belong to a certain IP group to authenticate themselves via MFA methods if they’re in certain locations (as defined by their IP address), but to bypass MFA entirely if they’re determined to be logging in from within the company’s network.
Some users may not require MFA when attempting to access the IBM i server from inside the network, but will be denied any access to the system when outside the network. This provides more flexibility and security for companies with remote workers.
The recent MGM ransomware attack, which cost the casino giant a reported $100 million, is a potent reminder of the importance of strong user authentication. In the hack, cybercriminals reportedly gained entry to MGM’s internal systems by calling the IT help desk and requesting a password reset. The attackers successfully impersonated the IT workers through a combination of learning basic information about their victims via LinkedIn as well as voice phishing, or “vishing.”
Security experts say the cyberattack may not have been successful if MGM had implemented MFA and enforced strong authentication techniques. MFA is now required to be in place by insurance companies before they will write ransomware policies, according to Raz-Lee.
The IBM i security company, which is based in New York and Israel, shared a quote from Melanie Maynes, the director of product marketing and identity at Microsoft, that emphasizes the importance of MFA. She said: “By providing an extra barrier and layer of security that makes it incredibly difficult for attackers to get past, MFA can block over 99.9 percent of account compromise attacks.”
You can find more information about Raz-Lee MFA here.
RELATED STORIES
Raz-Lee Adds Zero-Trust Features To IBM i Firewall
Why You Should Be Concerned About the MGM ‘Vishing’ Attack