IBM i 7.6 Delivers “Massive Security Improvement” With Built-In MFA

April 8, 2025 Alex Woodie

Big Blue today announced IBM i 7.6, the first new release of the operating system in three years. While version 7.6 brings a range of enhancements, arguably the biggest new feature is the addition of multi-factor authentication directly into the operating system, which will make adopting MFA simple and represent a “massive security improvement” at no additional cost to IBM i shops, the IBM i security architect said.

MFA has emerged as an industry requirement to improve security and prevent unauthorized access to applications and data. Most North American banks require customers to enter additional codes that are texted or emailed to them, or to use an authenticator app, such as Authy, to generate time-based one-time passwords (TOTP) on their mobile phones.

The MFA capability that IBM is bringing to IBM i 7.6 works in a similar manner. It utilizes TOTPs generated on authenticator apps such as Authy and others. If the TOTP generated on the authenticator app matches the TOTP generated by the server, the user is granted access.

This approach does not require the installation of any agents, nor does it require any network connectivity or serving passcodes, as other MFA solutions do. That makes it simpler to configure and use, according to Tim Mullenbach, IBM’s senior business architect for IBM i security.

IBM i’s new MFA capability is built upon a “shared secret concept,” Mullenbach said. “We’ll generate a key and its 32-character-long value, and we’ll stick that into the user profile object. You’ll never see that again from the operating system,” he told IT Jungle in a briefing. “At the same time, that 32-character field goes into your phone, your Authy, your authenticator app.”

If the user is working from Navigator for IBM i, the OS will generate a QR code that contains the key. During the enrollment process, the user can simply scan the QR code with his or her phone to upload the key to their authenticator app, Mullenbach said. IBM also supplies a method to generate the client key using CL commands for customers working from a greenscreen environment. Users can get up and running with MFA in as little as 20 minutes, he said.

At runtime, the MFA function simply checks to make sure that the TOTP on the user device matches the TOTP generated on the IBM i server. If the user is legitimate, the TOTPs will match, since they were generated using the same key (the keys are constantly being shuffled, which prevents guessing). If the passcodes don’t match, then it indicates a possible hack attempt, and access is denied.

“The code is generated based on the UTC time on your device, with your key, and the math and crypto logic from the TOTP RFC,” Mullenbach said. “That’s why you don’t need anything else. Your device has a key that’s going to generate six digits.”

Because the MFA capability is working on a shared-secret concept, there is no network connectivity required. That allows security officers who are signing into locked down IBM i servers firewalled from the Internet, using a QSECOFR user profile, to use this MFA process.

IBM added new fields to its various sign-on screens for IBM i and in the Navigator, ACS, and the Digital Certificate Manager (DCM) interfaces, where users can enter their TOTP. If customers use other client interfaces to access the IBM i server, then the interfaces will need to be modified to add the TOTP field.

It will likely take months or years for vendors to add TOTP fields to all sign-on screens. In the meantime, IBM has provided a workaround that enables users to simply add the six-digit TOTP code to the end of their regular IBM i password. When the user has entered their regular password, they enter a colon (:) and then enter the TOTP.

IBM not only engineered the new MFA capability to be simple to implement and use, but also to be very flexible and adaptable to different situations.

“We’re providing almost an unlimited amount of configurability for administrators on an individual user profile basis,” Mullenbach said. “You can have 10 different people on your system, and they all can have a slightly different requirement based on what they do.”

For instance, IBM allows security administrator to set an interval between one and 720 minutes that determines how often a user must authenticate via the new MFA mechanism. The system may require a user to authenticate via MFA when he or she signs in in the morning, and then not require authentication again for the next twelve hours. This will be useful for enabling users to access applications that do not (yet) support the passing of TOTP values, Mullenbach said.

“That’s where a lot of the flexibility starts to come in, and it’s why I think every single user profile should be able to leverage this in some way,” he said. “The desire is for as many users as possible to have no interval, and they always have to provide it [the TOTP]. We understand that in our ecosystem, that’s not going to be possible for everybody on day one.”

IBM has also added the new MFA capability to its System Service Tools (SST) and Dedicated Service Tools (DST) facilities, Mullenbach said.

In parallel to the MFA implementation, IBM also added a new authentication exit point with IBM i 7.6. This exit point will be called on whenever there is any type of user profile swapping or use of temporary user profiles going on, Mullenbach said. It will also enable third-party software vendors to hook their own biometric or MFA capabilities into IBM’s new MFA facility.

“The expectation is the existing security vendors in the marketplace who have MFA solutions will use that aspect to enhance their existing solutions,” Mullenbach said. “So there’s a lot of flexibility, a lot of different combinations of what you could go with. That, to me, is the best case, where someone uses our TOTP but also is able to add biometric in for some cases. But again, that’s not always going to work in a restricted environment. What we have works always. If you’ve got a sign on screen, you can put in the six digits and you have multifactor authentication.”

This MFA capability has been a long time in coming, Mullenbach said. The Large User Group (LUG) and other advisory groups have been asking for IBM to build MFA into IBM i at the operating system level for at least five years. IBM had consistently resisted the requirement because of the technical complexity of building something that would work in all use cases. But eventually the demand for MFA became too great, and IBM relented.

“Even internally in IBM, we have to be using MFA for our systems. And we need to, as they say, eat our own dog food here. We need to be doing this ourselves,” Mullenbach said. “As I was looking at it, we came up with a way that we could make it work with all these different configuration options. There are things in the world running on IBM i that will not work with this MFA facility. We didn’t let that get in the way of saying, hey, we can provide something very useful to the vast majority of our customers and for the vast majority of the profiles on their system.”

This MFA facility required making changes throughout the IBM i operating system, which is why it took more than four years to develop, Mullenbach said. It’s also why MFA is only available on IBM i 7.6, and why it won’t be added back to older releases of the OS via PTF.

“It is a simple, integrated version. It’s not super flashy. I know there’s some other, much more complicated MFA solutions out there,” Mullenbach said. “We’re not saying this is supposed to displace your existing solutions, but I think we have a huge segment of our market, the small or medium shops that can just start to use this, when they would have never considered trying to purchase or go figure out a more complicated solution. That administrator can just, in a few hours, turn it on, have this up – a massive security improvement for authentication.”

IBM i 7.6 will be generally available on April 18. IBM chief technology officer Steve Will is hosting a webcast on April 10, at 9 a.m. ET to discuss the new release as well as the release of IBM i 7.5 Technology Refresh 6. You can sign up here.

There are lots of other improvements in IBM i 7.6 and IBM i 7.5 TR6, which IBM also announced. Be on the lookout for all the pertinent coverage in future issues of The Four Hundred.

This Issue Sponsored By

Table of Contents

Content archive

Recent Posts

Subscribe

Pages

Search