Password Security: Single Factor, 2FA and Multi-Factor Authentication
On May 7, IT and technology businesses around the world celebrated World Password Day, a day meant to remind everyone of the importance of keeping personal and business data protected and secure. Unfortunately, surveys released on that day revealed that the changing dynamics of work—that is, the increase of remote workers—are putting password security in jeopardy. According to OneLogin, 17.4% of global respondents have shared their work device password with someone in their family, opening the door not only to exposing corporate data, but other vulnerabilities.
Passwords used to be simple to secure: you had to create a username and a unique password, and that was essentially it. Unfortunately, hackers have become more sophisticated, leading to more data breaches. For systems such as the IBM Z, which is used by the healthcare industry, financial institutions and governments, maintaining data security is of the utmost importance. Unwanted access can result in lost revenue, shattered customer confidence and costly compliance penalties. Below, we’ll outline different authentication options on the IBM Z and on other work devices, and how to keep them secure.
One-factor authentications typically consist of passwords and passphrases, yet in recent years have also come to include biometric authentication. Most work-related activities, including emails and building access, are only set up for single-factor authentication, which isn’t ideal as this tends to be the least secure option. In RACF, there are some precautions that can be taken to enhance the security of passwords, including implementing rules around the number and types of characters necessary to create a password. It also allows users to implement passphrases, which can include spaces and hold a maximum of 100 characters. These provide users, and the mainframe, with increased security as passphrases are more difficult for hackers to determine, Make sure your password or passphrase contains a mix of characters and is unique. Don’t use personal passwords for work accounts.
Beyond passwords and passphrases, RACF offers other options for single-factor authentication that increase security. PassTicket enables the ability to create a single-use code that is not reusable and is time-dependent. End-users receive the PassTicket, or one-time use code, and use that to authenticate their identity. Digital certificates can also be used, where end users are binded to a public key infrastructure. The electronic “password” is secured by a Certificate Authority (CA), contains the digital signature and specifies the identity associated with the key, such as the name of the organization. One party uses a certificate of identification, and the other party must validate the identification. For the process to work, both parties must store their certificates in their own database.
Two-factor authentication typically combines a password with a one-time use code, sent to a device tied to the user’s identity. These are usually used in personal accounts, but can be implemented for work emails and devices. They are more secure than passwords, as ideally, only the specified user has access to the devices containing the code. Codes are also time-dependent and expire if they aren’t used quickly enough. Setting this up for secure workplace data is an important step in preventing accounts being accessed by unauthorized users.
The IBM Z Multi-Factor Authentication for (Z MFA) introduces the ideal security measure for important data secured on the mainframe. With IBM Z MFA, users need to authenticate their access using multiple-authentication factors. These could include:
- Something they know, such as a password or passphrase;
- Something they have, such as a badge or cryptographic token; and
- Something they are, which include biometric markers such as fingerprint ID.
As mainframes hold some of the world’s most valuable data, implementing the highest security standards is of the utmost importance. The IBM Z MFA is also flexible, allowing users to select particular authentication factors they can use. This enhances their ability to remember the factors without resorting to unsafe measures, such as writing the password down. When used together, Z MFA and RACF create layered defenses for users, increasing the mainframe’s security.
As remote work becomes increasingly common and users are accessing data from new devices and places, businesses need to consider the security of their most important information. Ensure that users are aware of the risks associated with poor quality passwords, and inform them of alternate options for authentication. On mainframes, where important finance, healthcare and government data is stored, there are many options for increasing security and protecting information.