Hi Jake, Disclosure: I'm one of the architects of IBM MFA for z/OS.
The goal of multi-factor authentication is to strengthen the link between a human being and the actions taken by a logical account (because a logical account is what the SAF-implementing ESM is capable of authorizing and auditing). Sharing a single (or few) logical accounts across many human beings is an anti-pattern that is incompatible with that goal. The only way to satisfy the criteria, as written, would be to depend on a layer entirely outside z/OS and the ESM to handle both a) authentication mechanics and b) authorization and auditing of all user actions. I personally would never recommend this approach, as it takes control away from the ESM and dramatically reduces the utility of its audit logs. But if your mainframe environment is very limited (only running 3270 and SSH, say) maybe that approach could be made to work / pass an audit. I'm happy to take questions off-list. -Jared Jared Hunter Senior Manager, Z Security Rocket Software 77 Fourth Avenue • Waltham, MA 02451 • USA t: +1 781 684 2162 • m: +1 617 821 3745 • e: mailto:jhun...@rs.com • he / him / his Date: Tue, 25 Aug 2020 11:16:09 +0400 From: Jake Anderson <justmainfra...@gmail.com> Subject: Mainframe Multi factor authentication possibilities Hello, Cross posted. We are planning to implement 2FA for mainframe logons. Here we have a challenge where we use a common mainframe ID and would like to know if there is a way to enforce 2FA which can identify a person based on fingerprint or any other mechanism which can identify a person even if he uses common mainframe ID. Could someone share your experience if you have a similar set up in your datacenter ? z/OS 2.2 Jake ================================ Rocket Software, Inc. and subsidiaries ■ 77 Fourth Avenue, Waltham MA 02451 ■ Main Office Toll Free Number: +1 855.577.4323 Contact Customer Support: https://my.rocketsoftware.com/RocketCommunity/RCEmailSupport Unsubscribe from Marketing Messages/Manage Your Subscription Preferences - http://www.rocketsoftware.com/manage-your-email-preferences Privacy Policy - http://www.rocketsoftware.com/company/legal/privacy-policy ================================ This communication and any attachments may contain confidential information of Rocket Software, Inc. All unauthorized use, disclosure or distribution is prohibited. If you are not the intended recipient, please notify Rocket Software immediately and destroy all copies of this communication. Thank you. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
