Introduction

Current security regulations recognize that passwords are not enough. The security of sensitive systems require that you need to verify more than something you know (such as a password). You also need to prove something you have (such as a phone that can receive SMS messages or an email address) or something you are (such as a biometric check, such as a fingerprint or retina scan). The checking of more than one of these values is known as Multi- Factor Authentication (MFA).

iSecurity Multi-Factor Association implements this system for your IBM i. It can not only control logins but also connection attempts via FTP, ODBC, and other methods. When a user attempts to connect via one of these methods from an IP address that has not been explicitly pre-approved, iSecurity MFA sends a message to the user's cellphone, email, or both. If the user does not respond or does not authorize the connection, the attempt is logged and blocked.

Using the MFA management interface, as documented in this manual, administrators can specify the protocols for which specific users and groups require MFA, as well as the IP address ranges from which they do not need it. You can also specify how long the MFA passcodes need to be as well as how long the user has to respond to a confirmation message.

A user who requires MFA and tries to log on to a system from an IP address that has not been pre-approved receives an email, SMS message, or both containing a passcode. Entering the passcode completes the login.

When the user, or a job that the user runs, initiates a connection via several other protocols, the system sends a unique link to the user's SMS or email. The user must follow the link for the connection to continue.