On 3/21/18, 12:49 PM, "IBM Mainframe Discussion List on behalf of Jesse 1 Robinson" <[email protected] on behalf of [email protected]> wrote: >So how does MFA work in practice? I ask because the idea of having to go >through MFA every few minutes would be a very hard sell at the ranch.
It's not really a big issue for most modern setups. Some MFA solutions are priced per authentication, so you have to balance security vs cost. Use of things like Kerberos where you can authenticate on your local system, get a delegatable passticket that you can use with network services like a VPN server without passwords passing over the wire are a major plus. It has a lot to do with just how paranoid your security people are, and whether they have done the due diligence on the typical length of a session and if they've given some thought to how identities and credentials are handled network wide. It also depends if your setup permits different timeouts by userid/group so trusted users can be allowed longer intervals before reauthentication. For example, most modern VPN servers use RADIUS to set session parameters, so it's not too hard to allow per-user settings. Kerberos is pretty much the only universally accepted network identity management system that all the vendors can agree on (thank you, MIT), so if your setup can use it or one of its derivatives like Active Directory, it's a big plus. It's like most things: did you pick reasonable default behaviors? If you did, it's not a pain. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
