Fewer than one in five IBM mainframe customers are using multi-factor authentication

Mainframe users cited concerns about disruption and end-user resistance as reasons not to employ MFA

Security teams regularly use multi-factor authentication to protect computing applications, but a survey has found that it is much less common among mainframe owners, despite its availability.

In multi-factor authentication (MFA), a user must confirm their identity using at least two pieces of evidence: knowledge (something only the user knows); possession (something only the user has access to); and inherence (something the user is). Some examples could be a childhood nickname; a smartphone (think Google Authenticator); and biometrics.

The major advantage of MFA is that it makes it much more difficult for a hack like a keylogger to steal credentials, as they will only be able to ‘see' part of the app's security.

While IBM pushed MFA to its mainframe platform in 2016, adoption has been slow - with just 15 per cent of mainframe owners using the protocol, and five per cent planning to do so.

According to a survey of 81 IBM mainframe users by Macro 4, presented at the GSE UK Conference earlier this month, awareness of MFA was high: 64 per cent of respondents knew that it was part of the IBM platform. However, many were resistant or just slow to adopt, with 80 per cent making no moves towards MFA.

Keith Banham, Mainframe Research and Development Manager at Macro 4, said that the data was "concerning". He added, "Continuing to rely on a password alone for user authentication exposes business-critical applications to unacceptable risk. Hackers are now very adept at misleading people into revealing their passwords or they use technology to crack, steal or bypass them altogether."

MFA is now a key part of compliance for several important technology regulations, including the GDPR and Payment Card Industry Data Security Standard (PCI DSS). Only 59 per cent of respondents admitted to being aware of this, 24 per cent said that they were not aware, and 17 per cent said ‘Don't know' (which in this context can be taken as ‘Not aware').

When asked why they had not yet implemented MFA, businesses provided a variety of reasons: the risks of making changes to older applications to support new technologies (28 per cent); lack of mainframe or IT security skills (25 and 22 per cent, respectively); the complexity and cost of installing MFA hardware and software (22 and 17 per cent, respectively); and end user resistance (21 per cent) were among the most common.

16 per cent of respondents, presumably from the 41 per cent of users who said that they were unaware of MFA's importance to new regulations, said that they felt that MFA was unnecessary; and 12 per cent said that the entire process was too complex.

Picking on this last point, Banham said that mainframe customers must find new ways to make MFA implementations easier, such as by using session management software.