[Info-vax] VMS and MFA?

[Arne Vajhøj]

On 8/19/2020 5:20 AM, Phillip Helbig (undress to reply) wrote:
> In article <rhik59$9mi$1 at dont-email.me>,
> Jan-Erik Söderholm <jan-erik.soderholm at telia.com>
> writes:
>> As in many other places, our VMS systems lives in a much larger
>> non-VMS environment. Lately, MFA (Multi Factor Authentication)
>> https://en.wikipedia.org/wiki/Multi-factor_authentication has
>> been introduced at this company. So when, like connecting to
>> the Citrix remote environment, I get a SMS ("text") with a code
>> that needs to be entered in the login sequence.
>>
>> Now, I have not seen any ready-made solution for this for VMS.
>> I know about the LDAP based account/password synchronisation
>> against (usually) Microsoft AD. But that is not MFA as such.
> 
> Probably most VMS systems affected by this have some sort of MFA in
> order to get to a session (perhaps recorded) where one can get to VMS
> via ssh or whatever.

Indeed.

I would expect a typical setup to be:
1) connect to corporate network
2) tunnel into production environment
3) login to VMS

#1 and #2 seems much more obvious candidates for 2FA than #3.
For security reasons!

> It shouldn't be too difficult to roll your own.  Many mobile-phone
> providers have the possibility to convert emails to SMS.  If your VMS
> system can send email, then you could compute some random number in
> SYS$SYLOGIN, send it as an SMS, and then READ/PROMPT="_code: " and then
> exit if nothing correct is entered (quickly enough).

You need to:
* send email
* do timeout
* log bad attempts
* block or delay access if too many bad attempts
* enable user to resend number
* manage user to phone mapping preferably self service
* have process for disable general and for specific user
etc.etc.

If anything COTS exists then I would go for that.

Arne