1.  Home
  2. MIDRANGE-L
  3. April 2025

Re: Free MFA for IBM i

Very good reply.

I do wonder about the shared id's. For example, QSECOFR will likely be the
first one people will want to MFA. With TOTP it's no problem to log on to
the system in restricted state and still have it work. But, let's say it's
our downtime weekend and we have three people working it. Granted, we
could get one of those TOTP devices and just pass it around. But what if
we evolve to working from home during OS and PTF upgrades? It's not so far
fetched as some might figure. The systems are already in a remote
datacenter that most of the people working the downtimes have never been
to. Right now we still drag you into the office so you can pass on the
writeups on the downtime notes to the next person. And, honestly, the home
internet I have is kind of slow and shaky. Which is REALLY frustrating as
two different companies have fiber trunk lines within 2 feet of my mailbox
but they won't service me, unless I want to pay for business class service.

On Tue, Apr 8, 2025 at 10:29 AM cesco via MIDRANGE-L <
midrange-l@xxxxxxxxxxxxxxxxxx> wrote:



Must be a tough market since IBM will give that to you free if you
upgrade

In any case the new system allows for external authenticators (exit
programs) for many other sorts of added auth, enabling VAR solutions etc.
In all sincerity, it is almost impossible to seriously implement a MFA
scenario without OS and hardware assistance to protect the underlying
pass/seeds.

For some line of business in the past I've implemented TOTP on the i for
some particular RPG application functionality (but the "seeds" were stored
in a normal table, totally controlled by a PGM with adopted auth), was
functional for our limited case but I'm not sure it will pass the test for
"real" security of the stored info, and integration.

TOTP is simple, standard and with little dependencies (a pass and... time,
but I guess anyway is hard to avoid that one dependency at the end ; ) ).

I don't like the position of some i.e. external applications nowadays
requiring a cell phone, or SMS stuff... now you have created a thing that
is difficult to share (say a dept), and maybe requires even a cell
contract, plus on a device that is insecure due to complexity and high
market for spywares targeting cell phones.
TOTP you can have really dumb hardware (simple, no OS) like credit card
sized devices, you click and you get the code and such devices lasts years.

IMHO IBM interpreted correctly such a feature, giving the basics, basic
working commands, that should be integrated as per spirit of the system,
using RFC 6238 ... pretty neat.

.c
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related
questions.



As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2025 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.