Call us at 507.319.5206 or This email address is being protected from spambots. You need JavaScript enabled to view it.
Follow us on LinkedIn and Twitter

SSO Saves the Day for PCI MFA

PCI MFAYou might be scratching your head over the alphabet soup in the title. Here’s the deal.

Under Requirement 8: Identify and authenticate access to system components, PCI DSS defines requirements for those accessing systems that contain cardholder data that are part of the cardholder data environment (CDE).

In PCI DSS V3.2, Requirement 8.3 was expanded into two sub-requirements, 8.3.1 and 8.3.2. These require multi-factor authentication (MFA) for all non-console administrative access to the CDE (8.3.1) and multi-factor authentication for all remote access to the CDE (8.3.2).

Further, 8.3.1 is a best practice until January 31, 2018 when it becomes a requirement.

“Multi-factor” just means that you must use two or more of the three basic authentication factors:

  1. something you know;
  2. something you have; or
  3. something you are.

Check out this link to a short PCI blog post and this one to a PCI Supplement for multi-factor authentication for more details.

This is kind of a big deal because of the guidance for implementing MFA correctly.

Specifically, the guidance says that the implementation must verify both factors “prior to the authentication mechanism granting the requested access.”

In addition, “no prior knowledge of the success or failure of any factor should be provided to the individual until all factors have been presented.” This is necessary to avoid leaking information about which factor was valid or invalid.

The guidance follows recommendations and best practices from organizations such as the National Institute of Standards and Technology (NIST).

Why is this so interesting now? Because currently there is no way to implement MFA — as recommended by PCI guidance — on IBM i!

System authentication is deeply integrated into many IBM i interfaces, and changing this would require large changes in several places in IBM i. IBM currently has no plans for making changes in this area.

The PCI DSS guidance, however, does provide a bit of an out for IBM i users.

It allows MFA authentication to the “CDE/corporate network” from which the individual may access the IBM i within the CDE using a “single authentication factor as long as it requires a different password, digital certificate, or signed challenge-response.”

And this is where single sign-on (SSO) comes in. 

SSO — as implemented by our SSO stat! service — is based on Kerberos authentication and identity mapping through EIM.

In most environments, a Windows userID/password combination is needed to log into the network. Soon a second factor will also be needed for those with administrative access to the CDE.

When you have SSO set up in your environment, your Windows userID and password generates a Kerberos ticket. When accessing another server in the CDE using SSO, the authentication is handled by a Kerberos ticket challenge-response.

Herein lies the beauty.

Kerberos is not a userID/password authentication mechanism between a client and server. Despite common belief, the ticket does not contain passwords!

Therefore, using MFA to access the network — and then using SSO via Kerberos and EIM — will meet the new PCI DSS guidance.

If your company is subject to PCI DSS compliance, ask us what’s involved in implementing Kerberos-based SSO in your environment.

I think you’ll find that this is one of the easiest measures you’ve ever taken to ensure PCI compliance and — refreshingly — one that will actually pay for itself in a relatively short period of time!

Feel free to download the Botz & Associates SSO ROI Calculator to give you an idea of how quickly you can recoup your costs.

This entry was posted in Compliance, Single Sign-On (SSO), Two Factor Authentication and tagged , , , , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>