Multi-factor authentication adoption by mainframe user organisations is being held up by concerns around disrupting essential applications, skills shortages and end user resistance.

According to the poll, 64% of mainframe users are aware that multi-factor authentication is now available to control access to mainframe applications, but only 20% acknowledge their organisation is already using it or plans to do so.

“With data protection and security a major priority among most enterprises, it’s concerning that this new survey suggests mainframe shops have been slow to take up multi-factor authentication, which has been available for the platform since 2016,” said Keith Banham, Mainframe Research and Development Manager at Macro 4. “Continuing to rely on a password alone for user authentication exposes business-critical applications to unacceptable risk. Hackers are now very adept at misleading people into revealing their passwords or they use technology to crack, steal or by-pass them altogether.”

Vulnerability in Microsoft’s MFA could wreak havoc on organisations, says security expert

A security engineer at the identity management company, Okta REX, claims to have found a vulnerability in Microsoft’s MFA solution that could wreak havoc on an organisation, putting countless businesses in jeopardy of a data compromise. Read here

Beyond the password

Mainframe multi-factor authentication systems can integrate with IBM’s Resource Access Control Facility (RACF) and go beyond traditional password verification methods; by requiring users to present additional proof of identity, such as a password, a physical token, a biometric identifier or a time-restricted randomised PIN generated by a mobile app or other device.

The poll found that 59% were aware that multi-factor authentication is a key component of compliance, with regulations such as GDPR and the Payment Card Industry Data Security Standard (PCI DSS) requiring enterprises to take effective measures to control and protect access to personal information.

When asked to explain the reasons why businesses that run mainframes are not yet implementing multi-factor authentication, some cited the risks that come with making changes to older applications and others pointed to a lack of mainframe skills.

A CTO guide: Cyber security best practice tips

In this guide, five CTOs provide their cyber security best practice tips – to ensure the best protection against cyber attacks and human error. Read here

A lack of IT security skills and the cost of installing multi-factor authentication hardware were also identified as challenges. Some respondents also felt that their companies face resistance from end users, which is something experienced by many large enterprises (not just mainframe customers) when they try to introduce multi-factor authentication.

In your opinion, why are businesses who are running mainframes not yet implementing multi-factor authentication (MFA)?

• Risks of changing older applications to support MFA 28%.

• Lack of mainframe skills 25%.

• Challenges and cost of installing MFA hardware 22%.

• Lack of IT security skills 22%.

• End users are resistant 21%.

• Challenges and cost of installing MFA software 17%.

• Businesses don’t feel it’s necessary 16%.

• The whole implementation process is too complex 12%.

Ease adoption

According to Banham, mainframe customers must find ways to make multi-factor authentication roll-outs easier and less onerous. One solution surrounds modern session management software, which many organisations already use to give their users single sign-on access to their mainframe applications.

“A session manager only requires users to log in once in order to access all their applications. They can then switch between their applications throughout the day without having to re-authenticate each time. Implementing MFA on a session manager can therefore save a lot of effort because you only have to do it in one place — the session manager – rather than on the many individual applications that are typically hosted on a mainframe. And by choosing this approach you don’t actually touch the applications themselves so there’s no risk of causing any disruption,” said Banham.

“An additional challenge is that some older mainframe applications may not be compatible with multi-factor authentication, so using a session manager sidesteps the need for additional coding changes to support multi-factor authentication.”

Session managers can also help to reduce resistance from those end users who are reluctant to adopt new authentication methods.

“By incorporating help and guidance messages – or reminders about the new authentication process – on the session manager login screen, you can minimise any initial end user confusion and help make multi-factor authentication roll-outs a more user-friendly experience.”

“Any new technology roll-out will bring challenges, whether they’re technical hurdles, concerns over resources or reluctance from people who aren’t comfortable with having to change, but adopting multi-factor authentication is something mainframe shops must do so it’s good news that there are shortcuts available to make it easier.”