Security has consistently been a foundational element of IBM i and with the release of IBM i 7.6, IBM has taken another step forward by extending Multi-Factor Authentication (MFA) to System Service Tools (SST) and Dedicated Service Tools (DST).
Traditionally, SST/DST access has been controlled by strong passwords and special authorities. However, given the increasing threat landscape and compliance requirements, password-only authentication is no longer considered sufficient. MFA adds a second layer of protection, ensuring that even if a password is compromised, unauthorized users cannot gain access.
- Dedicated service tools (DST) and system service tools (SST) can be configured for MFA
- Implementation process is separate from the Operating System MFA
- Individual user profile attributes can be configured to require an additional sign-on factor for the user
What is MFA on IBM i ?
Multi-factor Authentication combines two or more independent factors to validate a user’s identity:
- Something you know – password or PIN.
- Something you have – security token, mobile authenticator app, hardware key.
On IBM i 7.6, MFA for SST/DST typically integrates with token-based solutions such as IBM MFA for i, supporting time-based one-time password (TOTP), RFC 6238, so any compatible client application such as PC application, smart phone application, smart watch application, or physical token like Google Authenticator and IBM Verify.
Enabling MFA for SST
- Login to SST
- Select option 8 (Work with Service Tools Server Security and Devices).
- Select option 5 (Work with service tools security options).
- Change the (Additional sign-on factor enabled) field and press Enter.
Figure 1. Showing Additional sign-on factor as *ENBALED for SST
Once the Multi-factor authentication for SST is enabled, it’s the time to configure MFA for the user we want. In order to do that sign-on with the user we want to enable the multi-factor authentication
- Generate TOTP key for the SST user
1. Start System Service Tools(SST)
2. Work with Service Tools Server Security and Devices
3. Work with Service Tools User IDs
4. Take option 8(Change TOTP key) against this user
5. Take “F8” to generate the key automatically
6. On the TOTP Key display is your TOTP key and the recovery
key. Enter your TOTP key into your authenticator app and copy
the “Recovery key” and store in a safe place.
7. On the Verify TOTP Factor display, enter the TOTP factor
generated from your authenticator application.
8. If the TOTP factor verification was successful, the Work with
Service Tools User IDs display will appear and the TOTP key is
saved to the user ID
- Set the TOTP enabled attribute for the service tools user ID.
- SST User is ready to signon with userid, password, and TOTP factor in the Additional factor field
Figure 2. SST user having MFA enabled with valid TOTP Key
Example Scenario
An administrator attempts to sign in to SST:
Figure 2. SST log-on screen with MFA enabled
- They enter their SST profile ID and password.
- The system also requires a 6-digit OTP generated by their mobile authenticator.
- Only upon correct entry of the OTP is access granted.
This ensures that even if the SST password is stolen, the attacker cannot log in without also possessing the registered MFA device.
Best Practices
- Apply MFA to all privileged accounts – not just QSECOFR, but also all service tool profiles.
- Audit MFA logs regularly to detect suspicious attempts.
- Train administrators on MFA usage and recovery steps in case of device loss.
Conclusion
With IBM i 7.6, extending Multi-factor Authentication to System Service Tools represents a major security enhancement. It strengthens protection of the most sensitive system access point and aligns IBM i with modern enterprise security requirements.
By implementing MFA on SST/DST, organizations can significantly reduce the risk of unauthorized access, meet compliance obligations, and ensure that their IBM i systems remain one of the most secure platforms in the industry.