Multifactor authentication
Multifactor authentication requires users to provide multiple pieces of information when they log in to the system to prove their identity. Multifactor authentication uses any combination of two or more methods, called factors, to authenticate users to your resources and protect those resources from unauthorized access.
- Something a user knows
- Users authenticate with information that only each individual user knows, such as a password or PIN.
- Something a user has
- The users prove their identity with information that is given to the user by a trusted authentication service, such as one-time passcodes that are generated by an application or mobile device.
- Something a user is
- Users prove their identity with biometrics, such as fingerprint or retinal scans.
With the adoption of cloud-based services, multifactor authentication increases the control over user access and security settings. First-factor authentication methods alone, such as username and password combinations, do not provide the level of protection and security that is required in cloud and hybrid-cloud environments. With multifactor authentication support, security administrators can reinforce account protection, create granular access for users and user groups, and monitor access more efficiently at a system level.
Multifactor authentication with IBM Security Verify
The system integrates with IBM® Security Verify , a cloud-based identity and access management (IAM) service provider to provide different factors.
With IBM Security Verify, security administrators can configure the system as an application that requires two factors for users and user groups to access the system with either the management GUI or CLI.
Multifactor authentication can be used to protect both local users, including superuser, and remote users.
Remote users are users who are defined on a remote LDAP server. For remote users that authenticate with LDAP servers, install and configure IBM Security Verify Bridge for Directory Sync on your LDAP server, such as Windows Active Directory. IBM Security Verify Bridge for Directory Sync duplicates any users and groups that are defined on the source LDAP server into the Cloud Directory in IBM Security Verify. Any subsequent changes that are made to the source LDAP server are copied automatically to the Cloud Directory in IBM Security Verify. For more information, see IBM Security Verify Bridge for Directory Sync in the IBM Security Verify documentation.
| Second factor | Supported on IBM Security Verify | Supported on the management GUI through OpenID Connect (OIDC) protocol | Supported on the command-line interface through PAM | Details |
|---|---|---|---|---|
| SMS OTP | Yes | Yes | Yes | A one-time passcode is sent to users through a specified phone number. |
| Email OTP | Yes | Yes | Yes | A one-time passcode is sent to users through a specified email address. |
| Voice OTP | Yes | Yes | Yes | A one-time passcode is sent to users through a specified phone number. |
| Time-based OTP | Yes | Yes | Yes | A one-time passcode is generated through an authenticator application on the user's mobile device, such as IBM Verify. |
| FIDO2 device | Yes | Yes | No | FIDO2 is an Internet standard for passwordless access to easily authenticate to online services with common devices, such as touch and biometric sensor or USB security key (such as YubiKey or MAC Touch ID). |
| QR code | Yes | Yes | No | A user scans a generated QR code with a device to gain access to the system. |
| Push notification | Yes | Yes | Yes | Push notifications enable authentication by sending an alert directly to a mobile application, like IBM Verify, to validate any authentication attempt. |
IBM Security Verify configures the management GUI and the command-line interface as separate API clients that require separate credentials. For GUI-based logins, the system communicates with IBM Security Verify through the OpenID Connect (OIDC) protocol.